bug #39796 Dont allow unserializing classes with a destructor - 5.2 (jderusse)

nicolas-grekas · nicolas-grekas · commit d5d388fc25b8 · 2021-01-12T10:53:07.000+01:00
This PR was merged into the 5.2 branch. Discussion ---------- Dont allow unserializing classes with a destructor - 5.2 | Q | A | ------------- | --- | Branch? | 5.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Prevent destructors with side-effects from being unserialized Commits ------- 9860190 Dont allow unserializing classes with a destructor - 5.2
diff --git a/src/Symfony/Component/HttpClient/Response/CommonResponseTrait.php b/src/Symfony/Component/HttpClient/Response/CommonResponseTrait.php
@@ -127,6 +127,16 @@ public function toStream(bool $throw = true)
         return $stream;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Closes the response and all its network handles.
      */
diff --git a/src/Symfony/Component/HttpClient/Response/TraceableResponse.php b/src/Symfony/Component/HttpClient/Response/TraceableResponse.php
@@ -44,6 +44,16 @@ public function __construct(HttpClientInterface $client, ResponseInterface $resp
         $this->event = $event;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         try {
diff --git a/src/Symfony/Component/RateLimiter/Policy/TokenBucket.php b/src/Symfony/Component/RateLimiter/Policy/TokenBucket.php
@@ -104,6 +104,10 @@ public function __sleep(): array
      */
     public function __wakeup(): void
     {
+        if (!\is_string($this->stringRate)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
+
         $this->rate = Rate::fromString($this->stringRate);
         unset($this->stringRate);
     }

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,10 @@ public function __sleep(): array`
`104`	`104`	`*/`
`105`	`105`	`public function __wakeup(): void`
`106`	`106`	`{`
	`107`	`+ if (!\is_string($this->stringRate)) {`
	`108`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`109`	`+ }`
	`110`	`+`
`107`	`111`	`$this->rate = Rate::fromString($this->stringRate);`
`108`	`112`	`unset($this->stringRate);`
`109`	`113`	`}`