handle instantiation protections

Author: withinboredom

Zend/zend_API.c

@@ -1816,6 +1816,27 @@ static zend_always_inline zend_result _object_and_properties_init(zval *arg, zen
 		return FAILURE;
 	}
 
+	if (class_type->required_scope) {
+		const zend_class_entry *scope = zend_get_executed_scope();
+		if (UNEXPECTED(scope == NULL)) {
+			zend_type_error("Cannot instantiate class %s from the global scope", ZSTR_VAL(class_type->name));
+			ZVAL_NULL(arg);
+			Z_OBJ_P(arg) = NULL;
+			return FAILURE;
+		}
+
+		if (class_type->required_scope_absolute) {
+			if (scope != class_type->required_scope && scope->lexical_scope != class_type->required_scope) {
+				zend_type_error("Cannot instantiate private class %s from scope %s", ZSTR_VAL(class_type->name), ZSTR_VAL(scope->name));
+				ZVAL_NULL(arg);
+				Z_OBJ_P(arg) = NULL;
+				return FAILURE;
+			}
+		} else if (!instanceof_function(scope, class_type->required_scope) && !instanceof_function(scope->lexical_scope, class_type->required_scope)) {
+			zend_type_error("Cannot instantiate protected class %s from scope %s", ZSTR_VAL(class_type->name), ZSTR_VAL(scope->name));
+		}
+	}
+
 	if (UNEXPECTED(!(class_type->ce_flags & ZEND_ACC_CONSTANTS_UPDATED))) {
 		if (UNEXPECTED(zend_update_class_constants(class_type) != SUCCESS)) {
 			ZVAL_NULL(arg);

Zend/zend_vm_def.h

@@ -4427,6 +4427,24 @@ ZEND_VM_COLD_CONST_HANDLER(124, ZEND_VERIFY_RETURN_TYPE, CONST|TMP|VAR|UNUSED|CV
 		}
 
 		SAVE_OPLINE();
+
+		if (Z_TYPE_P(retval_ptr) == IS_OBJECT && Z_OBJCE_P(retval_ptr)->required_scope) {
+			if (EX(func)->common.fn_flags & ZEND_ACC_PUBLIC) {
+				if (Z_OBJCE_P(retval_ptr)->required_scope_absolute) {
+					zend_type_error("Public method %s cannot return private class %s", ZSTR_VAL(EX(func)->common.function_name), ZSTR_VAL(Z_OBJCE_P(retval_ptr)->name));
+					HANDLE_EXCEPTION();
+				} else {
+					zend_type_error("Public method %s cannot return protected class %s", ZSTR_VAL(EX(func)->common.function_name), ZSTR_VAL(Z_OBJCE_P(retval_ptr)->name));
+					HANDLE_EXCEPTION();
+				}
+			} else if (EX(func)->common.fn_flags & ZEND_ACC_PROTECTED) {
+				if (Z_OBJCE_P(retval_ptr)->required_scope_absolute && Z_OBJCE_P(retval_ptr)->required_scope != EX(func)->common.scope) {
+					zend_type_error("Protected method %s cannot return private class %s", ZSTR_VAL(EX(func)->common.function_name), ZSTR_VAL(Z_OBJCE_P(retval_ptr)->name));
+					HANDLE_EXCEPTION();
+				}
+			}
+		}
+
 		if (UNEXPECTED(!zend_check_type_slow(&ret_info->type, retval_ptr, ref, cache_slot, 1, 0))) {
 			zend_verify_return_error(EX(func), retval_ptr);
 			HANDLE_EXCEPTION();

Zend/zend_vm_execute.h

@@ -13,7 +13,7 @@ var_dump($line);
 --EXPECTF--
 autoload(inner_classes\Line)
 
-Fatal error: Uncaught Error: Cannot instantiate class inner_classes\Line from the global scope in %s:%d
+Fatal error: Uncaught TypeError: Cannot instantiate class inner_classes\Line from the global scope in %s:%d
 Stack trace:
 #0 {main}
   thrown in %s on line %d

tests/classes/inner_classes/autoload_002.phpt

@@ -0,0 +1,89 @@
+--TEST--
+instantiation from various scopes
+--FILE--
+<?php
+
+class Outer {
+    private class PrivateInner {
+    }
+    protected class ProtectedInner {
+    }
+    public class PublicInner {
+    }
+}
+
+try {
+    var_dump(new Outer\PrivateInner());
+} catch (Throwable $e) {
+    echo "Failed to instantiate Outer\PrivateInner: {$e->getMessage()}\n";
+}
+
+try {
+    var_dump(new Outer\ProtectedInner());
+} catch (Throwable $e) {
+    echo "Failed to instantiate Outer\ProtectedInner: {$e->getMessage()}\n";
+}
+
+try {
+    var_dump(new Outer\PublicInner());
+} catch (Throwable $e) {
+    echo "Failed to instantiate Outer\PublicInner: {$e->getMessage()}\n";
+}
+
+class Other {
+    public function testPrivate() {
+        var_dump(new Outer\PrivateInner());
+    }
+    public function testProtected() {
+        var_dump(new Outer\ProtectedInner());
+    }
+    public function testPublic() {
+        var_dump(new Outer\PublicInner());
+    }
+}
+
+$other = new Other();
+foreach (['Private', 'Protected', 'Public'] as $type) {
+    try {
+        $other->{"test$type"}();
+    } catch(Throwable $e) {
+        echo "Failed to instantiate Outer\\$type: {$e->getMessage()}\n";
+    }
+}
+
+class Child extends Outer {
+    public function testPrivate() {
+        var_dump(new Outer\PrivateInner());
+    }
+    public function testProtected() {
+        var_dump(new Outer\ProtectedInner());
+    }
+    public function testPublic() {
+        var_dump(new Outer\PublicInner());
+    }
+}
+
+$other = new Child();
+foreach (['Private', 'Protected', 'Public'] as $type) {
+    try {
+        $other->{"test$type"}();
+    } catch(Throwable $e) {
+        echo "Failed to instantiate Outer\\$type: {$e->getMessage()}\n";
+    }
+}
+
+?>
+--EXPECT--
+Failed to instantiate Outer\PrivateInner: Cannot instantiate class Outer\PrivateInner from the global scope
+Failed to instantiate Outer\ProtectedInner: Cannot instantiate class Outer\ProtectedInner from the global scope
+object(Outer\PublicInner)#1 (0) {
+}
+Failed to instantiate Outer\Private: Cannot instantiate private class Outer\PrivateInner from scope Other
+Failed to instantiate Outer\Protected: Cannot instantiate protected class Outer\ProtectedInner from scope Other
+object(Outer\PublicInner)#3 (0) {
+}
+Failed to instantiate Outer\Private: Cannot instantiate private class Outer\PrivateInner from scope Child
+object(Outer\ProtectedInner)#2 (0) {
+}
+object(Outer\PublicInner)#2 (0) {
+}

tests/classes/inner_classes/instantiation_001.phpt

@@ -29,7 +29,7 @@ var_dump($outer->getInner());
 object(Outer\Inner)#2 (0) {
 }
 
-Fatal error: Uncaught Error: Cannot instantiate private class Outer\Inner from Foo in %s:%d
+Fatal error: Uncaught TypeError: Cannot instantiate private class Outer\Inner from scope Foo in %s:%d
 Stack trace:
 #0 %s(%d): Foo->getInner()
 #1 {main}