Fix GH-20370: forbid user stream filters to violate typed property constraints

alexandre-daubois · alexandre-daubois · commit b0808cec92e4 · 2025-11-03T09:43:04.000+01:00
diff --git a/NEWS b/NEWS
@@ -81,6 +81,8 @@ PHP                                                                        NEWS
 - Streams:
   . Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect
     condition for Win32/Win64. (Jakub Zelenka)
+  . Fixed bug GH-20370 (User stream filters could violate typed property
+    constraints). (alexandre-daubois)
 
 - Tidy:
   . Fixed GH-19021 (improved tidyOptGetCategory detection).
diff --git a/ext/standard/tests/filters/gh20370.phpt b/ext/standard/tests/filters/gh20370.phpt
@@ -0,0 +1,40 @@
+--TEST--
+GH-20370 (User filters should respect typed properties)
+--FILE--
+<?php
+
+class pass_filter
+{
+    public $filtername;
+    public $params;
+    public int $stream = 1;
+
+    function filter($in, $out, &$consumed, $closing): int
+    {
+        while ($bucket = stream_bucket_make_writeable($in)) {
+            $consumed += $bucket->datalen;
+            stream_bucket_append($out, $bucket);
+        }
+        return PSFS_PASS_ON;
+    }
+}
+
+stream_filter_register("pass", "pass_filter");
+$fp = fopen("php://memory", "w");
+stream_filter_append($fp, "pass");
+
+try {
+    fwrite($fp, "data");
+} catch (TypeError $e) {
+    echo "TypeError: Cannot assign resource to typed property\n";
+}
+
+?>
+--EXPECTF--
+Warning: fwrite(): Unprocessed filter buckets remaining on input brigade in %s on line %d
+TypeError: Cannot assign resource to typed property
+
+Fatal error: Uncaught TypeError: Cannot assign resource to property pass_filter::$stream of type int in %s
+Stack trace:
+#0 {main}
+  thrown in %s
diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c
@@ -147,13 +147,10 @@ php_stream_filter_status_t userfilter_filter(
 	uint32_t orig_no_fclose = stream->flags & PHP_STREAM_FLAG_NO_FCLOSE;
 	stream->flags |= PHP_STREAM_FLAG_NO_FCLOSE;
 
-	zval *stream_prop = zend_hash_str_find_ind(Z_OBJPROP_P(obj), "stream", sizeof("stream")-1);
-	if (stream_prop) {
-		/* Give the userfilter class a hook back to the stream */
-		zval_ptr_dtor(stream_prop);
-		php_stream_to_zval(stream, stream_prop);
-		Z_ADDREF_P(stream_prop);
-	}
+	/* Give the userfilter class a hook back to the stream */
+	zval stream_zval;
+	php_stream_to_zval(stream, &stream_zval);
+	zend_update_property(Z_OBJCE_P(obj), Z_OBJ_P(obj), "stream", sizeof("stream")-1, &stream_zval);
 
 	ZVAL_STRINGL(&func_name, "filter", sizeof("filter")-1);
 
@@ -196,9 +193,7 @@ php_stream_filter_status_t userfilter_filter(
 	/* filter resources are cleaned up by the stream destructor,
 	 * keeping a reference to the stream resource here would prevent it
 	 * from being destroyed properly */
-	if (stream_prop) {
-		convert_to_null(stream_prop);
-	}
+	zend_update_property_null(Z_OBJCE_P(obj), Z_OBJ_P(obj), "stream", sizeof("stream")-1);
 
 	zval_ptr_dtor(&args[3]);
 	zval_ptr_dtor(&args[2]);
