Merge branch '8.5' into 9.6

sebastianbergmann · sebastianbergmann · commit 1cce5f3ac2ee · 2026-01-26T17:42:41.000+01:00
* 8.5:
  Do not run PHPT test when its temporary file for code coverage information exists
  We do not need to unserialize() objects here
  Extract method
  Fix CS/WS issue
diff --git a/ChangeLog-9.6.md b/ChangeLog-9.6.md
@@ -2,6 +2,12 @@
 
 All notable changes of the PHPUnit 9.6 release series are documented in this file using the [Keep a CHANGELOG](https://keepachangelog.com/) principles.
 
+## [9.6.33] - 2026-MM-DD
+
+### Changed
+
+* To prevent Poisoned Pipeline Execution (PPE) attacks using prepared `.coverage` files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs
+
 ## [9.6.32] - 2026-01-24
 
 ### Changed
@@ -218,6 +224,7 @@ All notable changes of the PHPUnit 9.6 release series are documented in this fil
 * [#5064](https://github.com/sebastianbergmann/phpunit/issues/5064): Deprecate `PHPUnit\Framework\TestCase::getMockClass()`
 * [#5132](https://github.com/sebastianbergmann/phpunit/issues/5132): Deprecate `Test` suffix for abstract test case classes
 
+[9.6.33]: https://github.com/sebastianbergmann/phpunit/compare/9.6.32...9.6
 [9.6.32]: https://github.com/sebastianbergmann/phpunit/compare/9.6.31...9.6.32
 [9.6.31]: https://github.com/sebastianbergmann/phpunit/compare/9.6.30...9.6.31
 [9.6.30]: https://github.com/sebastianbergmann/phpunit/compare/9.6.29...9.6.30
diff --git a/src/Runner/PhptTestCase.php b/src/Runner/PhptTestCase.php
@@ -19,6 +19,7 @@
 use function explode;
 use function extension_loaded;
 use function file;
+use function file_exists;
 use function file_get_contents;
 use function file_put_contents;
 use function is_array;
@@ -89,17 +90,13 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
      */
     public function __construct(string $filename, ?AbstractPhpProcess $phpUtil = null)
     {
-        if (!is_file($filename)) {
-            throw new Exception(
-                sprintf(
-                    'File "%s" does not exist.',
-                    $filename,
-                ),
-            );
-        }
+        $this->ensureFileExists($filename);
 
         $this->filename = $filename;
-        $this->phpUtil  = $phpUtil ?: AbstractPhpProcess::factory();
+
+        $this->ensureCoverageFileDoesNotExist();
+
+        $this->phpUtil = $phpUtil ?: AbstractPhpProcess::factory();
     }
 
     /**
@@ -657,7 +654,7 @@ private function cleanupForCoverage(): RawCodeCoverageData
             $buffer = @file_get_contents($files['coverage']);
 
             if ($buffer !== false) {
-                $coverage = @unserialize($buffer);
+                $coverage = @unserialize($buffer, ['allowed_classes' => false]);
 
                 if ($coverage === false) {
                     $coverage = RawCodeCoverageData::fromXdebugWithoutPathCoverage([]);
@@ -862,4 +859,37 @@ private function settings(bool $collectCoverage): array
 
         return $settings;
     }
+
+    /**
+     * @throws Exception
+     */
+    private function ensureFileExists(string $filename): void
+    {
+        if (!is_file($filename)) {
+            throw new Exception(
+                sprintf(
+                    'File "%s" does not exist.',
+                    $filename,
+                ),
+            );
+        }
+    }
+
+    /**
+     * @throws Exception
+     */
+    private function ensureCoverageFileDoesNotExist(): void
+    {
+        $files = $this->getCoverageFiles();
+
+        if (file_exists($files['coverage'])) {
+            throw new Exception(
+                sprintf(
+                    'File %s exists, PHPT test %s will not be executed',
+                    $files['coverage'],
+                    $this->filename,
+                ),
+            );
+        }
+    }
 }
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
@@ -0,0 +1,7 @@
+--TEST--
+test
+--FILE--
+<?php declare(strict_types=1);
+print 'test';
+--EXPECT--
+test
diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Error when code coverage file exists
+--FILE--
+<?php declare(strict_types=1);
+$_SERVER['argv'][] = '--do-not-cache-result';
+$_SERVER['argv'][] = '--no-configuration';
+$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt');
+
+require_once __DIR__ . '/../../bootstrap.php';
+
+PHPUnit\TextUI\Command::main();
+--EXPECTF--
+Fatal error: Uncaught PHPUnit\Runner\Exception: File %stest.coverage exists, PHPT test %stest.phpt will not be executed%A
