Store the original value in SensitiveParameterValue

Author: TimWolla

Zend/tests/function_arguments/sensitive_parameter_value.phpt

@@ -0,0 +1,18 @@
+--TEST--
+SensitiveParameterValue behaves as expected.
+--FILE--
+<?php
+
+$v = new SensitiveParameterValue('secret');
+
+var_dump($v);
+var_dump(serialize($v));
+var_dump(json_encode($v));
+var_dump($v->getValue());
+?>
+--EXPECTF--
+object(SensitiveParameterValue)#%d (0) {
+}
+string(35) "O:23:"SensitiveParameterValue":0:{}"
+string(2) "{}"
+string(6) "secret"

Zend/tests/function_arguments/sensitive_parameter_value_unserialize.phpt

@@ -0,0 +1,16 @@
+--TEST--
+SensitiveParameterValue may not be unserialized.
+--FILE--
+<?php
+
+$v = new SensitiveParameterValue('secret');
+
+var_dump(unserialize(serialize($v)));
+?>
+--EXPECTF--
+Fatal error: Uncaught Exception: Unserializing objects of class SensitiveParameterValue is not supported. in %ssensitive_parameter_value_unserialize.php:5
+Stack trace:
+#0 [internal function]: SensitiveParameterValue->__unserialize(Array)
+#1 %ssensitive_parameter_value_unserialize.php(5): unserialize('O:23:"Sensitive...')
+#2 {main}
+  thrown in %ssensitive_parameter_value_unserialize.php on line 5

Zend/zend_attributes.c

@@ -21,6 +21,7 @@
 #include "zend_API.h"
 #include "zend_attributes.h"
 #include "zend_attributes_arginfo.h"
+#include "zend_exceptions.h"
 #include "zend_smart_str.h"
 
 ZEND_API zend_class_entry *zend_ce_attribute;
@@ -100,9 +101,52 @@ ZEND_METHOD(SensitiveParameter, __construct)
 
 ZEND_METHOD(SensitiveParameterValue, __construct)
 {
-	ZEND_PARSE_PARAMETERS_NONE();
+	zval *value;
+
+	ZEND_PARSE_PARAMETERS_START(1, 1)
+		Z_PARAM_ZVAL(value)
+	ZEND_PARSE_PARAMETERS_END();
+
+	ZVAL_COPY(OBJ_PROP_NUM(Z_OBJ_P(ZEND_THIS), 0), value);
 }
 
+/* {{{ */
+ZEND_METHOD(SensitiveParameterValue, getValue)
+{
+	ZEND_PARSE_PARAMETERS_NONE();
+
+	ZVAL_COPY(return_value, OBJ_PROP_NUM(Z_OBJ_P(ZEND_THIS), 0));
+} /* }}} */
+
+/* {{{ */
+ZEND_METHOD(SensitiveParameterValue, __debugInfo)
+{
+	ZEND_PARSE_PARAMETERS_NONE();
+
+	array_init(return_value);
+} /* }}} */
+
+/* {{{ */
+ZEND_METHOD(SensitiveParameterValue, __serialize)
+{
+	ZEND_PARSE_PARAMETERS_NONE();
+
+	array_init(return_value);
+} /* }}} */
+
+/* {{{ */
+ZEND_METHOD(SensitiveParameterValue, __unserialize)
+{
+	HashTable *data;
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "h", &data) == FAILURE) {
+		RETURN_THROWS();
+	}
+
+	zend_throw_exception(NULL, "Unserializing objects of class SensitiveParameterValue is not supported.", 0);
+	RETURN_THROWS();
+} /* }}} */
+
 static zend_attribute *get_attribute(HashTable *attributes, zend_string *lcname, uint32_t offset)
 {
 	if (attributes) {

Zend/zend_attributes.stub.php

@@ -26,5 +26,15 @@ public function __construct() {}
 
 final class SensitiveParameterValue
 {
-    public function __construct() {}
+    private mixed $value;
+
+    public function __construct(mixed $value) {}
+
+    public function getValue(): mixed {}
+
+    public function __serialize(): array {}
+
+    public function __unserialize(array $data): void {}
+
+    public function __debugInfo(): array{}
 }

Zend/zend_attributes_arginfo.h

@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 5cc7e0e910c5d61926451412e176fa00a92b3239 */
+ * Stub hash: f5eecf818174dad27449a9f1c944f47a17d63c30 */
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_class_Attribute___construct, 0, 0, 0)
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, flags, IS_LONG, 0, "Attribute::TARGET_ALL")
@@ -12,14 +12,32 @@ ZEND_END_ARG_INFO()
 
 #define arginfo_class_SensitiveParameter___construct arginfo_class_ReturnTypeWillChange___construct
 
-#define arginfo_class_SensitiveParameterValue___construct arginfo_class_ReturnTypeWillChange___construct
+ZEND_BEGIN_ARG_INFO_EX(arginfo_class_SensitiveParameterValue___construct, 0, 0, 1)
+	ZEND_ARG_TYPE_INFO(0, value, IS_MIXED, 0)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_SensitiveParameterValue_getValue, 0, 0, IS_MIXED, 0)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_SensitiveParameterValue___serialize, 0, 0, IS_ARRAY, 0)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_class_SensitiveParameterValue___unserialize, 0, 1, IS_VOID, 0)
+	ZEND_ARG_TYPE_INFO(0, data, IS_ARRAY, 0)
+ZEND_END_ARG_INFO()
+
+#define arginfo_class_SensitiveParameterValue___debugInfo arginfo_class_SensitiveParameterValue___serialize
 
 
 ZEND_METHOD(Attribute, __construct);
 ZEND_METHOD(ReturnTypeWillChange, __construct);
 ZEND_METHOD(AllowDynamicProperties, __construct);
 ZEND_METHOD(SensitiveParameter, __construct);
 ZEND_METHOD(SensitiveParameterValue, __construct);
+ZEND_METHOD(SensitiveParameterValue, getValue);
+ZEND_METHOD(SensitiveParameterValue, __serialize);
+ZEND_METHOD(SensitiveParameterValue, __unserialize);
+ZEND_METHOD(SensitiveParameterValue, __debugInfo);
 
 
 static const zend_function_entry class_Attribute_methods[] = {
@@ -48,6 +66,10 @@ static const zend_function_entry class_SensitiveParameter_methods[] = {
 
 static const zend_function_entry class_SensitiveParameterValue_methods[] = {
 	ZEND_ME(SensitiveParameterValue, __construct, arginfo_class_SensitiveParameterValue___construct, ZEND_ACC_PUBLIC)
+	ZEND_ME(SensitiveParameterValue, getValue, arginfo_class_SensitiveParameterValue_getValue, ZEND_ACC_PUBLIC)
+	ZEND_ME(SensitiveParameterValue, __serialize, arginfo_class_SensitiveParameterValue___serialize, ZEND_ACC_PUBLIC)
+	ZEND_ME(SensitiveParameterValue, __unserialize, arginfo_class_SensitiveParameterValue___unserialize, ZEND_ACC_PUBLIC)
+	ZEND_ME(SensitiveParameterValue, __debugInfo, arginfo_class_SensitiveParameterValue___debugInfo, ZEND_ACC_PUBLIC)
 	ZEND_FE_END
 };
 
@@ -109,5 +131,11 @@ static zend_class_entry *register_class_SensitiveParameterValue(void)
 	class_entry = zend_register_internal_class_ex(&ce, NULL);
 	class_entry->ce_flags |= ZEND_ACC_FINAL;
 
+	zval property_value_default_value;
+	ZVAL_UNDEF(&property_value_default_value);
+	zend_string *property_value_name = zend_string_init("value", sizeof("value") - 1, 1);
+	zend_declare_typed_property(class_entry, property_value_name, &property_value_default_value, ZEND_ACC_PRIVATE, NULL, (zend_type) ZEND_TYPE_INIT_MASK(MAY_BE_ANY));
+	zend_string_release(property_value_name);
+
 	return class_entry;
 }

Zend/zend_builtin_functions.c

@@ -24,6 +24,7 @@
 #include "zend_builtin_functions.h"
 #include "zend_constants.h"
 #include "zend_ini.h"
+#include "zend_interfaces.h"
 #include "zend_exceptions.h"
 #include "zend_extensions.h"
 #include "zend_closures.h"
@@ -1567,25 +1568,35 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 						);
 
 						if (attribute != NULL) {
-							zval arg;
-							object_init_ex(&arg, zend_ce_sensitive_parameter_value);
-							ZEND_HASH_FILL_SET(&arg);
 							last_was_sensitive = 1;
 						} else {
 							last_was_sensitive = 0;
-							if (arg) {
-								ZVAL_DEREF(arg);
-								Z_TRY_ADDREF_P(arg);
-								ZEND_HASH_FILL_SET(arg);
-							} else {
-								ZEND_HASH_FILL_SET_NULL();
-							}
+							
 						}
+
+						if (arg) {
+							ZVAL_DEREF(arg);
+							Z_TRY_ADDREF_P(arg);
+						} else {
+							ZVAL_NULL(arg);
+						}
+
+						if (last_was_sensitive) {
+							zval new_arg;
+							object_init_ex(&new_arg, zend_ce_sensitive_parameter_value);
+							zend_call_method_with_1_params(Z_OBJ_P(&new_arg), zend_ce_sensitive_parameter_value, &zend_ce_sensitive_parameter_value->constructor, "__construct", NULL, arg);
+							ZEND_HASH_FILL_SET(&new_arg);
+						} else {
+							ZEND_HASH_FILL_SET(arg);
+						}
+
 						ZEND_HASH_FILL_NEXT();
 						i++;
 					}
 				} else {
 					while (i < first_extra_arg) {
+						zval *arg;
+
 						zend_attribute *attribute = zend_get_parameter_attribute_str(
 							call->func->op_array.attributes,
 							"sensitiveparameter",
@@ -1594,22 +1605,28 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 						);
 
 						if (attribute != NULL) {
-							zval arg;
-							object_init_ex(&arg, zend_ce_sensitive_parameter_value);
-							ZEND_HASH_FILL_SET(&arg);
 							last_was_sensitive = 1;
 						} else {
 							last_was_sensitive = 0;
+						}
+
+						if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
+							arg = p;
+							ZVAL_DEREF(arg);
+							Z_TRY_ADDREF_P(arg);
+						} else {
+							ZVAL_NULL(arg);
+						}
 
-							if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
-								zval *arg = p;
-								ZVAL_DEREF(arg);
-								Z_TRY_ADDREF_P(arg);
-								ZEND_HASH_FILL_SET(arg);
-							} else {
-								ZEND_HASH_FILL_SET_NULL();
-							}
+						if (last_was_sensitive) {
+							zval new_arg;
+							object_init_ex(&new_arg, zend_ce_sensitive_parameter_value);
+							zend_call_method_with_1_params(Z_OBJ_P(&new_arg), zend_ce_sensitive_parameter_value, &zend_ce_sensitive_parameter_value->constructor, "__construct", NULL, arg);
+							ZEND_HASH_FILL_SET(&new_arg);
+						} else {
+							ZEND_HASH_FILL_SET(arg);
 						}
+
 						ZEND_HASH_FILL_NEXT();
 						p++;
 						i++;
@@ -1619,6 +1636,8 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 			}
 
 			while (i < num_args) {
+				zval *arg;
+
 				zend_attribute *attribute = zend_get_parameter_attribute_str(
 					call->func->op_array.attributes,
 					"sensitiveparameter",
@@ -1630,22 +1649,30 @@ static void debug_backtrace_get_args(zend_execute_data *call, zval *arg_array) /
 					(i > call->func->op_array.num_args && last_was_sensitive)
 					|| attribute != NULL
 				) {
-					zval arg;
-					object_init_ex(&arg, zend_ce_sensitive_parameter_value);
-					ZEND_HASH_FILL_SET(&arg);
+					
 					last_was_sensitive = 1;
 				} else {
 					last_was_sensitive = 0;
+				}
 
-					if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
-						zval *arg = p;
-						ZVAL_DEREF(arg);
-						Z_TRY_ADDREF_P(arg);
-						ZEND_HASH_FILL_SET(arg);
-					} else {
-						ZEND_HASH_FILL_SET_NULL();
-					}
+				
+				if (EXPECTED(Z_TYPE_INFO_P(p) != IS_UNDEF)) {
+					arg = p;
+					ZVAL_DEREF(arg);
+					Z_TRY_ADDREF_P(arg);
+				} else {
+					ZVAL_NULL(arg);
+				}
+
+				if (last_was_sensitive) {
+					zval new_arg;
+					object_init_ex(&new_arg, zend_ce_sensitive_parameter_value);
+					zend_call_method_with_1_params(Z_OBJ_P(&new_arg), zend_ce_sensitive_parameter_value, &zend_ce_sensitive_parameter_value->constructor, "__construct", NULL, arg);
+					ZEND_HASH_FILL_SET(&new_arg);
+				} else {
+					ZEND_HASH_FILL_SET(arg);
 				}
+
 				ZEND_HASH_FILL_NEXT();
 				p++;
 				i++;