ext/zip: Make ZipArchive non-serializable

A ZipArchive wraps a libzip resource that cannot survive serialization,
so unserialize() silently produced a broken object (numFiles = 0) instead
of erroring. Mark the class as not-serializable, consistent with Socket,
CurlHandle and the Dba classes.

Fixes GH-21682

Author: k2gl

NEWS

@@ -266,6 +266,8 @@ PHP                                                                        NEWS
     (kocsismate)
 
 - Zip:
+  . Fixed bug GH-21682 (ZipArchive must not be serializable).
+    (Nickolay Harin)
   . Fixed ZipArchive callback being called after executor has shut down.
     (ilutov)
   . Support minimum version for libzip dependency updated to 1.0.0.

ext/standard/tests/strings/bug72434.phpt

@@ -5,7 +5,7 @@ Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm
 // The following array will be serialized and this representation will be freed later on.
 $free_me = array(new StdClass());
 // Create our payload and unserialize it.
-$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
+$serialized_payload = 'a:3:{i:1;N;i:2;O:8:"stdClass":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
 $unserialized_payload = unserialize($serialized_payload);
 gc_collect_cycles();
 // The reference counter for $free_me is at -1 for PHP 7 right now.

ext/zip/php_zip.stub.php

@@ -64,6 +64,9 @@ function zip_entry_filesize($zip_entry): int|false {}
 #[\Deprecated(since: '8.0', message: 'use ZipArchive::statIndex() instead')]
 function zip_entry_compressionmethod($zip_entry): string|false {}
 
+/**
+ * @not-serializable
+ */
 class ZipArchive implements Countable
 {
     /**

ext/zip/php_zip_arginfo.h

@@ -0,0 +1,14 @@
+--TEST--
+GH-21682 (ZipArchive must not be serializable)
+--EXTENSIONS--
+zip
+--FILE--
+<?php
+try {
+    serialize(new ZipArchive());
+} catch (\Exception $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+Serialization of 'ZipArchive' is not allowed