Add missing scope check for readonly prop initialization

If the initializing assignment is an array append we will go through the UNDEF codepath of get_property_ptr_ptr, which did not verify that the initialization scope is valid.
php · Sep 17, 2021 · 4796183 · 4796183
1 parent 5a1ab2c
commit 4796183
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/Zend/tests/readonly_props/array_append_initialization.phpt b/Zend/tests/readonly_props/array_append_initialization.phpt
@@ -0,0 +1,36 @@
+--TEST--
+Use array append as initialization
+--FILE--
+<?php
+
+class C {
+    public readonly array $a;
+
+    public function init() {
+        $this->a[] = 1;
+        var_dump($this->a);
+    }
+}
+
+
+function init() {
+    $c = new C;
+    $c->a[] = 1;
+    var_dump($c->a);
+}
+
+(new C)->init();
+
+try {
+    init();
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}
+Cannot initialize readonly property C::$a from global scope
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1020,6 +1020,9 @@ ZEND_API zval *zend_std_get_property_ptr_ptr(zend_object *zobj, zend_string *nam
 						ZVAL_NULL(retval);
 						zend_error(E_WARNING, "Undefined property: %s::$%s", ZSTR_VAL(zobj->ce->name), ZSTR_VAL(name));
 					}
+				} else if (prop_info && UNEXPECTED(prop_info->flags & ZEND_ACC_READONLY)
+					&& !verify_readonly_initialization_access(prop_info, zobj->ce, name, "initialize")) {
+					retval = &EG(error_zval);
 				}
 			} else {
 				/* we do have getter - fail and let it try again with usual get/set */