[Security] dont do nested calls to serialize()

nicolas-grekas · nicolas-grekas · commit 41000f1de0e9 · 2019-01-25T18:08:32.000+01:00
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
@@ -134,25 +134,24 @@ public function eraseCredentials()
 
     /**
      * {@inheritdoc}
+     *
+     * @param bool $isCalledFromOverridingMethod Must be set to true when called from an overriding method
+     *
+     * @return string|array Returns an array when $isCalledFromOverridingMethod is set to true
      */
     public function serialize()
     {
-        return serialize(
-            [
-                \is_object($this->user) ? clone $this->user : $this->user,
-                $this->authenticated,
-                array_map(function ($role) { return clone $role; }, $this->roles),
-                $this->attributes,
-            ]
-        );
+        $serialized = [$this->user, $this->authenticated, $this->roles, $this->attributes];
+
+        return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
     }
 
     /**
      * {@inheritdoc}
      */
     public function unserialize($serialized)
     {
-        list($this->user, $this->authenticated, $this->roles, $this->attributes) = unserialize($serialized);
+        list($this->user, $this->authenticated, $this->roles, $this->attributes) = \is_array($serialized) ? $serialized : unserialize($serialized);
     }
 
     /**
@@ -232,6 +231,19 @@ public function __toString()
         return sprintf('%s(user="%s", authenticated=%s, roles="%s")', $class, $this->getUsername(), json_encode($this->authenticated), implode(', ', $roles));
     }
 
+    /**
+     * @internal
+     */
+    protected function doSerialize($serialized, $isCalledFromOverridingMethod)
+    {
+        if (null === $isCalledFromOverridingMethod) {
+            $trace = debug_backtrace(DEBUG_BACKTRACE_PROVIDE_OBJECT, 3);
+            $isCalledFromOverridingMethod = isset($trace[2]['function'], $trace[2]['object']) && 'serialize' === $trace[2]['function'] && $this === $trace[2]['object'];
+        }
+
+        return $isCalledFromOverridingMethod ? $serialized : serialize($serialized);
+    }
+
     private function hasUserChanged(UserInterface $user)
     {
         if (!($this->user instanceof UserInterface)) {
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php
@@ -67,7 +67,7 @@ public function serialize()
      */
     public function unserialize($serialized)
     {
-        list($this->secret, $parentStr) = unserialize($serialized);
+        list($this->secret, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
         parent::unserialize($parentStr);
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
@@ -76,18 +76,22 @@ public function eraseCredentials()
 
     /**
      * {@inheritdoc}
+     *
+     * @param bool $isCalledFromOverridingMethod Must be set to true when called from an overriding method
      */
     public function serialize()
     {
-        return serialize([$this->credentials, $this->providerKey, parent::serialize()]);
+        $serialized = [$this->credentials, $this->providerKey, parent::serialize(true)];
+
+        return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
     }
 
     /**
      * {@inheritdoc}
      */
     public function unserialize($str)
     {
-        list($this->credentials, $this->providerKey, $parentStr) = unserialize($str);
+        list($this->credentials, $this->providerKey, $parentStr) = \is_array($str) ? $str : unserialize($str);
         parent::unserialize($parentStr);
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
@@ -106,7 +106,7 @@ public function serialize()
      */
     public function unserialize($serialized)
     {
-        list($this->secret, $this->providerKey, $parentStr) = unserialize($serialized);
+        list($this->secret, $this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
         parent::unserialize($parentStr);
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
@@ -99,7 +99,7 @@ public function serialize()
      */
     public function unserialize($serialized)
     {
-        list($this->credentials, $this->providerKey, $parentStr) = unserialize($serialized);
+        list($this->credentials, $this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
         parent::unserialize($parentStr);
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Exception/AccountStatusException.php b/src/Symfony/Component/Security/Core/Exception/AccountStatusException.php
@@ -55,7 +55,7 @@ public function serialize()
      */
     public function unserialize($str)
     {
-        list($this->user, $parentData) = unserialize($str);
+        list($this->user, $parentData) = \is_array($str) ? $str : unserialize($str);
 
         parent::unserialize($parentData);
     }
diff --git a/src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php b/src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php
@@ -72,7 +72,7 @@ public function serialize()
      */
     public function unserialize($str)
     {
-        list($parentData, $this->messageKey, $this->messageData) = unserialize($str);
+        list($parentData, $this->messageKey, $this->messageData) = \is_array($str) ? $str : unserialize($str);
 
         parent::unserialize($parentData);
     }
diff --git a/src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php b/src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php
@@ -65,7 +65,7 @@ public function serialize()
      */
     public function unserialize($str)
     {
-        list($this->username, $parentData) = unserialize($str);
+        list($this->username, $parentData) = \is_array($str) ? $str : unserialize($str);
 
         parent::unserialize($parentData);
     }
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php
@@ -43,6 +43,9 @@ public function __construct($user, array $roles = [])
         $this->setUser($user);
     }
 
+    /**
+     * @param bool $isCalledFromOverridingMethod Must be set to true when called from an overriding method
+     */
     public function serialize()
     {
         return serialize([$this->credentials, parent::serialize()]);
diff --git a/src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php b/src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php
@@ -76,15 +76,15 @@ public function getProviderKey()
      */
     public function serialize()
     {
-        return serialize([$this->providerKey, parent::serialize()]);
+        return serialize([$this->providerKey, parent::serialize(true)]);
     }
 
     /**
      * {@inheritdoc}
      */
     public function unserialize($serialized)
     {
-        list($this->providerKey, $parentStr) = unserialize($serialized);
+        list($this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
         parent::unserialize($parentStr);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ public function serialize()`
`67`	`67`	`*/`
`68`	`68`	`public function unserialize($serialized)`
`69`	`69`	`{`
`70`		`- list($this->secret, $parentStr) = unserialize($serialized);`
	`70`	`+ list($this->secret, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);`
`71`	`71`	`parent::unserialize($parentStr);`
`72`	`72`	`}`
`73`	`73`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,18 +76,22 @@ public function eraseCredentials()`
`76`	`76`
`77`	`77`	`/**`
`78`	`78`	`* {@inheritdoc}`
	`79`	`+ *`
	`80`	`+ * @param bool $isCalledFromOverridingMethod Must be set to true when called from an overriding method`
`79`	`81`	`*/`
`80`	`82`	`public function serialize()`
`81`	`83`	`{`
`82`		`- return serialize([$this->credentials, $this->providerKey, parent::serialize()]);`
	`84`	`+ $serialized = [$this->credentials, $this->providerKey, parent::serialize(true)];`
	`85`	`+`
	`86`	`+ return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);`
`83`	`87`	`}`
`84`	`88`
`85`	`89`	`/**`
`86`	`90`	`* {@inheritdoc}`
`87`	`91`	`*/`
`88`	`92`	`public function unserialize($str)`
`89`	`93`	`{`
`90`		`- list($this->credentials, $this->providerKey, $parentStr) = unserialize($str);`
	`94`	`+ list($this->credentials, $this->providerKey, $parentStr) = \is_array($str) ? $str : unserialize($str);`
`91`	`95`	`parent::unserialize($parentStr);`
`92`	`96`	`}`
`93`	`97`	`}`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ public function serialize()`
`106`	`106`	`*/`
`107`	`107`	`public function unserialize($serialized)`
`108`	`108`	`{`
`109`		`- list($this->secret, $this->providerKey, $parentStr) = unserialize($serialized);`
	`109`	`+ list($this->secret, $this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);`
`110`	`110`	`parent::unserialize($parentStr);`
`111`	`111`	`}`
`112`	`112`	`}`
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ public function serialize()`
`99`	`99`	`*/`
`100`	`100`	`public function unserialize($serialized)`
`101`	`101`	`{`
`102`		`- list($this->credentials, $this->providerKey, $parentStr) = unserialize($serialized);`
	`102`	`+ list($this->credentials, $this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);`
`103`	`103`	`parent::unserialize($parentStr);`
`104`	`104`	`}`
`105`	`105`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ public function serialize()`
`55`	`55`	`*/`
`56`	`56`	`public function unserialize($str)`
`57`	`57`	`{`
`58`		`- list($this->user, $parentData) = unserialize($str);`
	`58`	`+ list($this->user, $parentData) = \is_array($str) ? $str : unserialize($str);`
`59`	`59`
`60`	`60`	`parent::unserialize($parentData);`
`61`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ public function serialize()`
`72`	`72`	`*/`
`73`	`73`	`public function unserialize($str)`
`74`	`74`	`{`
`75`		`- list($parentData, $this->messageKey, $this->messageData) = unserialize($str);`
	`75`	`+ list($parentData, $this->messageKey, $this->messageData) = \is_array($str) ? $str : unserialize($str);`
`76`	`76`
`77`	`77`	`parent::unserialize($parentData);`
`78`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ public function serialize()`
`65`	`65`	`*/`
`66`	`66`	`public function unserialize($str)`
`67`	`67`	`{`
`68`		`- list($this->username, $parentData) = unserialize($str);`
	`68`	`+ list($this->username, $parentData) = \is_array($str) ? $str : unserialize($str);`
`69`	`69`
`70`	`70`	`parent::unserialize($parentData);`
`71`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,9 @@ public function __construct($user, array $roles = [])`
`43`	`43`	`$this->setUser($user);`
`44`	`44`	`}`
`45`	`45`
	`46`	`+ /**`
	`47`	`+ * @param bool $isCalledFromOverridingMethod Must be set to true when called from an overriding method`
	`48`	`+ */`
`46`	`49`	`public function serialize()`
`47`	`50`	`{`
`48`	`51`	`return serialize([$this->credentials, parent::serialize()]);`
Original file line number	Diff line number	Diff line change
`@@ -76,15 +76,15 @@ public function getProviderKey()`
`76`	`76`	`*/`
`77`	`77`	`public function serialize()`
`78`	`78`	`{`
`79`		`- return serialize([$this->providerKey, parent::serialize()]);`
	`79`	`+ return serialize([$this->providerKey, parent::serialize(true)]);`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`/**`
`83`	`83`	`* {@inheritdoc}`
`84`	`84`	`*/`
`85`	`85`	`public function unserialize($serialized)`
`86`	`86`	`{`
`87`		`- list($this->providerKey, $parentStr) = unserialize($serialized);`
	`87`	`+ list($this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);`
`88`	`88`	`parent::unserialize($parentStr);`
`89`	`89`	`}`
`90`	`90`	`}`