Disallow indirect modification on readonly properties within __clone()

iluuu1994 · iluuu1994 · commit 624c061aa425 · 2024-08-02T17:39:10.000+02:00
Indirect modification isn't allowed in __construct() because it allows
references to leak, so it doesn't make much sense to allow it in __clone().
diff --git a/Zend/tests/readonly_props/readonly_clone_error5.phpt b/Zend/tests/readonly_props/readonly_clone_error5.phpt
@@ -57,20 +57,8 @@ try {
 }
 
 ?>
---EXPECTF--
-object(TestSetOnce)#%d (1) {
-  ["prop"]=>
-  array(1) {
-    [0]=>
-    int(1)
-  }
-}
-object(TestSetOnce)#%d (1) {
-  ["prop"]=>
-  array(1) {
-    [0]=>
-    int(1)
-  }
-}
+--EXPECT--
+Cannot indirectly modify readonly property TestSetOnce::$prop
+Cannot indirectly modify readonly property TestSetOnce::$prop
 Cannot indirectly modify readonly property TestSetTwice::$prop
 Cannot indirectly modify readonly property TestSetTwice::$prop
diff --git a/Zend/tests/readonly_props/readonly_clone_error7.phpt b/Zend/tests/readonly_props/readonly_clone_error7.phpt
@@ -0,0 +1,33 @@
+--TEST--
+__clone() cannot indirectly modify unlocked readonly properties
+--FILE--
+<?php
+
+class Foo {
+    public function __construct(
+        public readonly array $bar
+    ) {}
+
+    public function __clone()
+    {
+        $this->bar['bar'] = 'bar';
+    }
+}
+
+$foo = new Foo([]);
+// First call fills the cache slot
+try {
+    var_dump(clone $foo);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+try {
+    var_dump(clone $foo);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+Cannot indirectly modify readonly property Foo::$bar
+Cannot indirectly modify readonly property Foo::$bar
diff --git a/Zend/tests/readonly_props/readonly_clone_success3.phpt b/Zend/tests/readonly_props/readonly_clone_success3.phpt
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
@@ -3364,8 +3364,6 @@ static zend_always_inline void zend_fetch_property_address(zval *result, zval *c
 						ZEND_ASSERT(type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET);
 						if (Z_TYPE_P(ptr) == IS_OBJECT) {
 							ZVAL_COPY(result, ptr);
-						} else if (Z_PROP_FLAG_P(ptr) & IS_PROP_REINITABLE) {
-							Z_PROP_FLAG_P(ptr) &= ~IS_PROP_REINITABLE;
 						} else {
 							zend_readonly_property_indirect_modification_error(prop_info);
 							ZVAL_ERROR(result);
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -694,8 +694,6 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 					 * to make sure no actual modification is possible. */
 					ZVAL_COPY(rv, retval);
 					retval = rv;
-				} else if (Z_PROP_FLAG_P(retval) & IS_PROP_REINITABLE) {
-					Z_PROP_FLAG_P(retval) &= ~IS_PROP_REINITABLE;
 				} else {
 					zend_readonly_property_indirect_modification_error(prop_info);
 					retval = &EG(uninitialized_zval);
