bug #39795 Dont allow unserializing classes with a destructor - 5.1 (jderusse)

nicolas-grekas · nicolas-grekas · commit 8bc5679bcc1f · 2021-01-12T10:31:38.000+01:00
This PR was merged into the 5.1 branch. Discussion ---------- Dont allow unserializing classes with a destructor - 5.1 | Q | A | ------------- | --- | Branch? | 5.1 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Prevent destructors with side-effects from being unserialized Commits ------- 07402f4 Dont allow unserializing classes with a destructor - 5.1
diff --git a/src/Symfony/Component/HttpClient/Response/AmpResponse.php b/src/Symfony/Component/HttpClient/Response/AmpResponse.php
@@ -109,6 +109,16 @@ public function getInfo(string $type = null)
         return null !== $type ? $this->info[$type] ?? null : $this->info;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         try {
diff --git a/src/Symfony/Component/Messenger/Bridge/AmazonSqs/Transport/Connection.php b/src/Symfony/Component/Messenger/Bridge/AmazonSqs/Transport/Connection.php
@@ -63,6 +63,16 @@ public function __construct(array $configuration, SqsClient $client = null)
         $this->client = $client ?? new SqsClient([]);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->reset();
diff --git a/src/Symfony/Component/String/UnicodeString.php b/src/Symfony/Component/String/UnicodeString.php
@@ -359,6 +359,10 @@ public function startsWith($prefix): bool
 
     public function __wakeup()
     {
+        if (!\is_string($this->string)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
+
         normalizer_is_normalized($this->string) ?: $this->string = normalizer_normalize($this->string);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -359,6 +359,10 @@ public function startsWith($prefix): bool`
`359`	`359`
`360`	`360`	`public function __wakeup()`
`361`	`361`	`{`
	`362`	`+ if (!\is_string($this->string)) {`
	`363`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`364`	`+ }`
	`365`	`+`
`362`	`366`	`normalizer_is_normalized($this->string) ?: $this->string = normalizer_normalize($this->string);`
`363`	`367`	`}`
`364`	`368`