Advise trusting the input in the allow_named_closures refusal message

nicolas-grekas · nicolas-grekas · commit c838ae34a8bc · 2026-06-11T18:25:53.000+02:00
deepclone_to_array() refuses to serialize a closure over a named callable unless allow_named_closures is set. The message now quotes the option and adds that it should be enabled only for trusted input, since a by-name payload can mint a Closure over any function or method of that name. This mirrors the polyfill's wording (symfony/polyfill#635), which additionally points at this extension; the extension does not suggest installing itself.
diff --git a/deepclone.c b/deepclone.c
@@ -2100,7 +2100,7 @@ static void dc_copy_value(dc_ctx *ctx, zval *src, zval *dst, zval *mask_dst)
 		 * ends must enable. */
 		if (func && (func->common.fn_flags & ZEND_ACC_FAKE_CLOSURE)) {
 			if (!ctx->allow_named_closures) {
-				zend_value_error("deepclone_to_array(): serializing a closure over the named callable \"%s\" requires enabling the allow_named_closures option", ZSTR_VAL(func->common.function_name));
+				zend_value_error("deepclone_to_array(): serializing a closure over the named callable \"%s\" requires enabling the \"allow_named_closures\" option; do it only if you trust the input", ZSTR_VAL(func->common.function_name));
 				return;
 			}
 			if (!dc_class_allowed(ctx->allowed_ht, zend_ce_closure->name)) {
diff --git a/tests/deepclone_attribute_provenance.phpt b/tests/deepclone_attribute_provenance.phpt
@@ -99,5 +99,5 @@ bool(true)
 bool(true)
 bool(true)
 == 5. a callable no attribute declares stays by-name (needs the opt-in) ==
-uncaptured: ValueError: deepclone_to_array(): serializing a closure over the named callable "loose" requires enabling the allow_named_closures option
+uncaptured: ValueError: deepclone_to_array(): serializing a closure over the named callable "loose" requires enabling the "allow_named_closures" option; do it only if you trust the input
 Done
diff --git a/tests/deepclone_from_array.phpt b/tests/deepclone_from_array.phpt
@@ -70,7 +70,7 @@ try {
     deepclone_to_array(strlen(...));
     echo "no throw\n";
 } catch (ValueError $e) {
-    var_dump($e->getMessage() === 'deepclone_to_array(): serializing a closure over the named callable "strlen" requires enabling the allow_named_closures option');
+    var_dump($e->getMessage() === 'deepclone_to_array(): serializing a closure over the named callable "strlen" requires enabling the "allow_named_closures" option; do it only if you trust the input');
 }
 $clone = deepclone_from_array(deepclone_to_array(strlen(...), allow_named_closures: true), allow_named_closures: true);
 var_dump($clone('hello') === 5);
diff --git a/tests/deepclone_named_closure_optin.phpt b/tests/deepclone_named_closure_optin.phpt
@@ -89,8 +89,8 @@ bool(true)
 bool(true)
 bool(true)
 == 3. a runtime named closure refuses to_array without the opt-in ==
-strlen: ValueError: deepclone_to_array(): serializing a closure over the named callable "strlen" requires enabling the allow_named_closures option
-Helper::pub: ValueError: deepclone_to_array(): serializing a closure over the named callable "pub" requires enabling the allow_named_closures option
+strlen: ValueError: deepclone_to_array(): serializing a closure over the named callable "strlen" requires enabling the "allow_named_closures" option; do it only if you trust the input
+Helper::pub: ValueError: deepclone_to_array(): serializing a closure over the named callable "pub" requires enabling the "allow_named_closures" option; do it only if you trust the input
 == 4. with the opt-in on both ends it round-trips by name ==
 bool(true)
 bool(true)

Original file line number	Diff line number	Diff line change
`@@ -2100,7 +2100,7 @@ static void dc_copy_value(dc_ctx ctx, zval src, zval dst, zval mask_dst)`
`2100`	`2100`	`* ends must enable. */`
`2101`	`2101`	`if (func && (func->common.fn_flags & ZEND_ACC_FAKE_CLOSURE)) {`
`2102`	`2102`	`if (!ctx->allow_named_closures) {`
`2103`		`- zend_value_error("deepclone_to_array(): serializing a closure over the named callable \"%s\" requires enabling the allow_named_closures option", ZSTR_VAL(func->common.function_name));`
	`2103`	`+ zend_value_error("deepclone_to_array(): serializing a closure over the named callable \"%s\" requires enabling the \"allow_named_closures\" option; do it only if you trust the input", ZSTR_VAL(func->common.function_name));`
`2104`	`2104`	`return;`
`2105`	`2105`	`}`
`2106`	`2106`	`if (!dc_class_allowed(ctx->allowed_ht, zend_ce_closure->name)) {`
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ try {`
`70`	`70`	`deepclone_to_array(strlen(...));`
`71`	`71`	`echo "no throw\n";`
`72`	`72`	`} catch (ValueError $e) {`
`73`		`- var_dump($e->getMessage() === 'deepclone_to_array(): serializing a closure over the named callable "strlen" requires enabling the allow_named_closures option');`
	`73`	`+ var_dump($e->getMessage() === 'deepclone_to_array(): serializing a closure over the named callable "strlen" requires enabling the "allow_named_closures" option; do it only if you trust the input');`
`74`	`74`	`}`
`75`	`75`	`$clone = deepclone_from_array(deepclone_to_array(strlen(...), allow_named_closures: true), allow_named_closures: true);`
`76`	`76`	`var_dump($clone('hello') === 5);`