Fix critical bug and implement property/method namespace visibility

withinboredom · withinboredom · commit 9fd5013ef80e · 2025-11-08T00:45:34.000+01:00
This commit fixes a critical bug where ZEND_ACC_NAMESPACE_PRIVATE was
stored at bit 30, exceeding the 16-bit AST attr field limit. It also
completes the runtime enforcement of namespace visibility for both
properties and methods.

Critical Bug Fix:
- Move ZEND_ACC_NAMESPACE_PRIVATE from bit 30 to bit 14
- AST nodes use uint16_t for attr field (max bit 15)
- Previous bit 30 caused flag truncation to 0x0000 during parsing
- Now fits properly in 16-bit field as 0x4000

Property Visibility Implementation:
- Add namespace-based name mangling in zend_declare_typed_property()
- Mangle private(namespace) properties with namespace prefix
- Bypass property offset cache for namespace_private properties
  (visibility depends on caller's runtime namespace context)
- Move namespace visibility check outside scope comparison
  (applies to all classes in namespace, not just inheritance chain)
- Separate namespace_private from private/protected checks

Method Visibility Implementation:
- Exclude namespace_private methods from private/protected checks
- Add namespace visibility validation in zend_std_get_method()
- Check caller namespace matches method's class namespace
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
@@ -4603,6 +4603,10 @@ ZEND_API zend_property_info *zend_declare_typed_property(zend_class_entry *ce, z
 		property_info->name = zend_string_copy(name);
 	} else if (access_type & ZEND_ACC_PRIVATE) {
 		property_info->name = zend_mangle_property_name(ZSTR_VAL(ce->name), ZSTR_LEN(ce->name), ZSTR_VAL(name), ZSTR_LEN(name), is_persistent_class(ce));
+	} else if (access_type & ZEND_ACC_NAMESPACE_PRIVATE) {
+		/* Mangle with namespace name to prevent external access while allowing same-namespace access */
+		zend_string *namespace = zend_get_class_namespace(ce);
+		property_info->name = zend_mangle_property_name(ZSTR_VAL(namespace), ZSTR_LEN(namespace), ZSTR_VAL(name), ZSTR_LEN(name), is_persistent_class(ce));
 	} else {
 		ZEND_ASSERT(access_type & ZEND_ACC_PROTECTED);
 		property_info->name = zend_mangle_property_name("*", 1, ZSTR_VAL(name), ZSTR_LEN(name), is_persistent_class(ce));
@@ -5403,7 +5407,8 @@ ZEND_API zend_string* zend_get_caller_namespace(void)
 	 * For trait methods, scope is the class that uses the trait,
 	 * not the trait itself. This is the desired behavior. */
 	if (ex->func->common.scope) {
-		return zend_get_class_namespace(ex->func->common.scope);
+		zend_string *ns = zend_get_class_namespace(ex->func->common.scope);
+		return ns;
 	}
 
 	/* Case 2: Called from a user function or top-level code */
diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
@@ -222,7 +222,7 @@ typedef struct _zend_oparray_context {
 #define ZEND_ACC_PRIVATE                 (1 <<  2) /*     |  X  |  X  |  X  */
 /*                                                        |     |     |     */
 /* Namespace-scoped visibility                            |     |     |     */
-#define ZEND_ACC_NAMESPACE_PRIVATE       (1 << 30) /*     |  X  |  X  |     */
+#define ZEND_ACC_NAMESPACE_PRIVATE       (1 << 14) /*     |  X  |  X  |     */
 /*                                                        |     |     |     */
 /* Property or method overrides private one               |     |     |     */
 #define ZEND_ACC_CHANGED                 (1 <<  3) /*     |  X  |  X  |     */
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -368,8 +368,14 @@ static zend_always_inline uintptr_t zend_get_property_offset(zend_class_entry *c
 	uintptr_t offset;
 
 	if (cache_slot && EXPECTED(ce == CACHED_PTR_EX(cache_slot))) {
-		*info_ptr = CACHED_PTR_EX(cache_slot + 2);
-		return (uintptr_t)CACHED_PTR_EX(cache_slot + 1);
+		const zend_property_info *cached_prop_info = CACHED_PTR_EX(cache_slot + 2);
+		/* Disable caching for namespace_private properties since visibility depends on caller's namespace */
+		if (UNEXPECTED(cached_prop_info && (cached_prop_info->flags & ZEND_ACC_NAMESPACE_PRIVATE))) {
+			/* Fall through to do the visibility check */
+		} else {
+			*info_ptr = cached_prop_info;
+			return (uintptr_t)CACHED_PTR_EX(cache_slot + 1);
+		}
 	}
 
 	if (UNEXPECTED(zend_hash_num_elements(&ce->properties_info) == 0)
@@ -391,6 +397,7 @@ static zend_always_inline uintptr_t zend_get_property_offset(zend_class_entry *c
 	property_info = (zend_property_info*)Z_PTR_P(zv);
 	flags = property_info->flags;
 
+
 	if (flags & (ZEND_ACC_CHANGED|ZEND_ACC_PRIVATE|ZEND_ACC_PROTECTED|ZEND_ACC_NAMESPACE_PRIVATE)) {
 		const zend_class_entry *scope = get_fake_or_executed_scope();
 
@@ -410,30 +417,36 @@ static zend_always_inline uintptr_t zend_get_property_offset(zend_class_entry *c
 					goto found;
 				}
 			}
-			if (flags & ZEND_ACC_PRIVATE) {
-				if (property_info->ce != ce) {
-					goto dynamic;
-				} else {
+			/* Check private/protected, but not namespace_private (handled separately below) */
+			if (!(flags & ZEND_ACC_NAMESPACE_PRIVATE)) {
+				if (flags & ZEND_ACC_PRIVATE) {
+					if (property_info->ce != ce) {
+						goto dynamic;
+					} else {
 wrong:
-					/* Information was available, but we were denied access.  Error out. */
-					if (!silent) {
-						zend_bad_property_access(property_info, ce, member);
+						/* Information was available, but we were denied access.  Error out. */
+						if (!silent) {
+							zend_bad_property_access(property_info, ce, member);
+						}
+						return ZEND_WRONG_PROPERTY_OFFSET;
+					}
+				} else {
+					ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
+					if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
+						goto wrong;
 					}
-					return ZEND_WRONG_PROPERTY_OFFSET;
 				}
-			} else if (flags & ZEND_ACC_NAMESPACE_PRIVATE) {
-				/* Check namespace visibility */
-				zend_string *property_namespace = zend_get_class_namespace(property_info->ce);
-				zend_string *caller_namespace = zend_get_caller_namespace();
+			}
+		}
 
-				if (!zend_string_equals(property_namespace, caller_namespace)) {
-					goto wrong;
-				}
-			} else {
-				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
-				if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
-					goto wrong;
-				}
+		/* Check namespace visibility (must be outside scope check) */
+		if (flags & ZEND_ACC_NAMESPACE_PRIVATE) {
+			zend_string *property_namespace = zend_get_class_namespace(property_info->ce);
+			zend_string *caller_namespace = zend_get_caller_namespace();
+
+
+			if (!zend_string_equals(property_namespace, caller_namespace)) {
+				goto wrong;
 			}
 		}
 	}
@@ -513,30 +526,36 @@ ZEND_API zend_property_info *zend_get_property_info(const zend_class_entry *ce,
 					goto found;
 				}
 			}
-			if (flags & ZEND_ACC_PRIVATE) {
-				if (property_info->ce != ce) {
-					goto dynamic;
-				} else {
+			/* Check private/protected, but not namespace_private (handled separately below) */
+			if (!(flags & ZEND_ACC_NAMESPACE_PRIVATE)) {
+				if (flags & ZEND_ACC_PRIVATE) {
+					if (property_info->ce != ce) {
+						goto dynamic;
+					} else {
 wrong:
-					/* Information was available, but we were denied access.  Error out. */
-					if (!silent) {
-						zend_bad_property_access(property_info, ce, member);
+						/* Information was available, but we were denied access.  Error out. */
+						if (!silent) {
+							zend_bad_property_access(property_info, ce, member);
+						}
+						return ZEND_WRONG_PROPERTY_INFO;
+					}
+				} else {
+					ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
+					if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
+						goto wrong;
 					}
-					return ZEND_WRONG_PROPERTY_INFO;
 				}
-			} else if (flags & ZEND_ACC_NAMESPACE_PRIVATE) {
-				/* Check namespace visibility */
-				zend_string *property_namespace = zend_get_class_namespace(property_info->ce);
-				zend_string *caller_namespace = zend_get_caller_namespace();
+			}
+		}
 
-				if (!zend_string_equals(property_namespace, caller_namespace)) {
-					goto wrong;
-				}
-			} else {
-				ZEND_ASSERT(flags & ZEND_ACC_PROTECTED);
-				if (UNEXPECTED(!is_protected_compatible_scope(property_info->prototype->ce, scope))) {
-					goto wrong;
-				}
+		/* Check namespace visibility (must be outside scope check) */
+		if (flags & ZEND_ACC_NAMESPACE_PRIVATE) {
+			zend_string *property_namespace = zend_get_class_namespace(property_info->ce);
+			zend_string *caller_namespace = zend_get_caller_namespace();
+
+
+			if (!zend_string_equals(property_namespace, caller_namespace)) {
+				goto wrong;
 			}
 		}
 	}
@@ -1913,13 +1932,16 @@ ZEND_API zend_function *zend_std_get_method(zend_object **obj_ptr, zend_string *
 					goto exit;
 				}
 			}
-			if (UNEXPECTED(fbc->op_array.fn_flags & ZEND_ACC_PRIVATE)
-			 || UNEXPECTED(!zend_check_protected(zend_get_function_root_class(fbc), scope))) {
-				if (zobj->ce->__call) {
-					fbc = zend_get_call_trampoline_func(zobj->ce->__call, method_name);
-				} else {
-					zend_bad_method_call(fbc, method_name, scope);
-					fbc = NULL;
+			/* Check private/protected, but not namespace_private (handled separately below) */
+			if (!(fbc->op_array.fn_flags & ZEND_ACC_NAMESPACE_PRIVATE)) {
+				if (UNEXPECTED(fbc->op_array.fn_flags & ZEND_ACC_PRIVATE)
+				 || UNEXPECTED(!zend_check_protected(zend_get_function_root_class(fbc), scope))) {
+					if (zobj->ce->__call) {
+						fbc = zend_get_call_trampoline_func(zobj->ce->__call, method_name);
+					} else {
+						zend_bad_method_call(fbc, method_name, scope);
+						fbc = NULL;
+					}
 				}
 			}
 		}
