Fix accessibility checks for dynamic properties

A dynamic property may be shadowed by a private/protected property.
Make sure we check property accessibility for non-indirect
properties as well.

Author: nikic

Zend/tests/foreach_shadowed_dyn_property.phpt

@@ -0,0 +1,29 @@
+--TEST--
+Dynamic property shadowed by private property
+--FILE--
+<?php
+  
+class Test {
+    private $prop = "Test";
+
+    function run() {
+        foreach ($this as $k => $v) {
+            echo "$k => $v\n";
+        }
+        var_dump(get_object_vars($this));
+    }
+}
+class Test2 extends Test {
+}
+
+$test2 = new Test2;
+$test2->prop = "Test2";
+$test2->run();
+
+?>
+--EXPECT--
+prop => Test
+array(1) {
+  ["prop"]=>
+  string(4) "Test"
+}

Zend/zend_builtin_functions.c

@@ -1198,13 +1198,13 @@ ZEND_FUNCTION(get_object_vars)
 					continue;
 				}
 
-				ZEND_ASSERT(key);
-				if (zend_check_property_access(zobj, key) == FAILURE) {
-					continue;
-				}
 				unmangle = 1;
 			}
 
+			if (zend_check_property_access(zobj, key) == FAILURE) {
+				continue;
+			}
+
 			if (Z_ISREF_P(value) && Z_REFCOUNT_P(value) == 1) {
 				value = Z_REFVAL_P(value);
 			}

Zend/zend_vm_def.h

@@ -5848,7 +5848,9 @@ ZEND_VM_C_LABEL(fe_fetch_r_exit):
 						 && EXPECTED(zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS)) {
 							break;
 						}
-					} else {
+					} else if (EXPECTED(Z_OBJCE_P(array)->default_properties_count == 0)
+							|| !p->key
+							|| zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS) {
 						break;
 					}
 				}
@@ -5998,7 +6000,9 @@ ZEND_VM_HANDLER(126, ZEND_FE_FETCH_RW, VAR, ANY, JMP_ADDR)
 						 && EXPECTED(zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS)) {
 							break;
 						}
-					} else {
+					} else if (EXPECTED(Z_OBJCE_P(array)->default_properties_count == 0)
+							|| !p->key
+							|| zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS) {
 						break;
 					}
 				}

Zend/zend_vm_execute.h

@@ -21261,7 +21261,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FE_FETCH_R_SPEC_VAR_HANDLER(ZE
 						 && EXPECTED(zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS)) {
 							break;
 						}
-					} else {
+					} else if (EXPECTED(Z_OBJCE_P(array)->default_properties_count == 0)
+							|| !p->key
+							|| zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS) {
 						break;
 					}
 				}
@@ -21411,7 +21413,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL ZEND_FE_FETCH_RW_SPEC_VAR_HANDLER(Z
 						 && EXPECTED(zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS)) {
 							break;
 						}
-					} else {
+					} else if (EXPECTED(Z_OBJCE_P(array)->default_properties_count == 0)
+							|| !p->key
+							|| zend_check_property_access(Z_OBJ_P(array), p->key) == SUCCESS) {
 						break;
 					}
 				}

ext/standard/http.c

@@ -56,14 +56,13 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 	ZEND_HASH_FOREACH_KEY_VAL_IND(ht, idx, key, zdata) {
 		/* handling for private & protected object properties */
 		if (key) {
+			if (type != NULL && zend_check_property_access(Z_OBJ_P(type), key) != SUCCESS) {
+				/* property not visible in this scope */
+				continue;
+			}
+
 			if (ZSTR_VAL(key)[0] == '\0' && type != NULL) {
 				const char *tmp;
-
-				zend_object *zobj = Z_OBJ_P(type);
-				if (zend_check_property_access(zobj, key) != SUCCESS) {
-					/* private or protected property access outside of the class */
-					continue;
-				}
 				zend_unmangle_property_name_ex(key, &tmp, &prop_name, &prop_len);
 			} else {
 				prop_name = ZSTR_VAL(key);