Dev news

Commit d61ff7cddd1 for php.net

commit d61ff7cddd15b3f3f4c82ff47dfce2e0306d5986
Author: Arshid <arshidkv12@gmail.com>
Date:   Fri May 29 17:53:55 2026 +0530

    ext/spl: ArrayObject no longer accepts arbitrary Iterators during unserialization (#22090)

    This aligns the behaviour with the constructor of ArrayObject.

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 0105af77613..fc81ccb1958 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1482,9 +1482,9 @@ PHP_METHOD(ArrayObject, __unserialize)
 			RETURN_THROWS();
 		}

-		if (!instanceof_function(ce, zend_ce_iterator)) {
+		if (!instanceof_function(ce, spl_ce_ArrayIterator)) {
 			zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
-				"Cannot deserialize ArrayObject with iterator class '%s'; this class does not implement the Iterator interface",
+				"Cannot deserialize ArrayObject with iterator class '%s'; this class is not derived from ArrayIterator",
 				ZSTR_VAL(Z_STR_P(iterator_class_zv)));
 			RETURN_THROWS();
 		}
diff --git a/ext/spl/tests/GH-22047.phpt b/ext/spl/tests/GH-22047.phpt
new file mode 100644
index 00000000000..1c53cbcc79f
--- /dev/null
+++ b/ext/spl/tests/GH-22047.phpt
@@ -0,0 +1,19 @@
+--TEST--
+GH-22047: ArrayObject invalid iterator class in serialized payload
+--FILE--
+<?php
+
+$payload = 'O:11:"ArrayObject":4:{i:0;i:0;i:1;a:2:{i:4;d:0.0;i:1;b:1;}i:2;a:0:{}i:3;s:12:"GlobIterator";}';
+
+try {
+    $obj = unserialize($payload);
+    foreach ($obj as $k => $v) {
+        echo "should not reach here\n";
+    }
+} catch (UnexpectedValueException $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECTF--
+Cannot deserialize ArrayObject with iterator class 'GlobIterator'; this class is not derived from ArrayIterator
diff --git a/ext/spl/tests/unserialize_errors.phpt b/ext/spl/tests/unserialize_errors.phpt
index 1138b5c8cd5..64356923ae2 100644
--- a/ext/spl/tests/unserialize_errors.phpt
+++ b/ext/spl/tests/unserialize_errors.phpt
@@ -144,7 +144,7 @@ class Existent {}
 Passed variable is not an array or object
 Incomplete or ill-typed serialization data
 Cannot deserialize ArrayObject with iterator class 'NonExistent'; no such class exists
-Cannot deserialize ArrayObject with iterator class 'Existent'; this class does not implement the Iterator interface
+Cannot deserialize ArrayObject with iterator class 'Existent'; this class is not derived from ArrayIterator
 ArrayIterator:
 Incomplete or ill-typed serialization data
 Incomplete or ill-typed serialization data