bug #39797 Dont allow unserializing classes with a destructor (jderusse)

nicolas-grekas · nicolas-grekas · commit e6cfa099a898 · 2021-01-12T15:21:03.000+01:00
This PR was merged into the 4.4 branch. Discussion ---------- Dont allow unserializing classes with a destructor | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Prevent destructors with side-effects from being unserialized Commits ------- facc095 Dont allow unserializing classes with a destructor
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php b/src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php
@@ -87,6 +87,12 @@ public function __sleep(): array
 
     public function __wakeup()
     {
+        foreach ($this as $k => $v) {
+            if (\is_object($v)) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
+        }
+
         $this->__construct($this->varDir, $this->testCase, $this->rootConfig, $this->environment, $this->debug);
     }
 
diff --git a/src/Symfony/Component/DependencyInjection/Loader/Configurator/AbstractConfigurator.php b/src/Symfony/Component/DependencyInjection/Loader/Configurator/AbstractConfigurator.php
@@ -34,6 +34,16 @@ public function __call($method, $args)
         throw new \BadMethodCallException(sprintf('Call to undefined method "%s::%s()".', static::class, $method));
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Checks that a value is valid, optionally replacing Definition and Reference configurators by their configure value.
      *
diff --git a/src/Symfony/Component/Form/Util/OrderedHashMapIterator.php b/src/Symfony/Component/Form/Util/OrderedHashMapIterator.php
@@ -76,6 +76,16 @@ public function __construct(array &$elements, array &$orderedKeys, array &$manag
         $this->managedCursors[$this->cursorId] = &$this->cursor;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Removes the iterator's cursors from the managed cursors of the
      * corresponding {@link OrderedHashMap} instance.
diff --git a/src/Symfony/Component/HttpKernel/DataCollector/DataCollector.php b/src/Symfony/Component/HttpKernel/DataCollector/DataCollector.php
@@ -123,6 +123,10 @@ public function __sleep()
     public function __wakeup()
     {
         if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'unserialize'))->getDeclaringClass()->name) {
+            if (\is_object($this->data)) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
+
             @trigger_error(sprintf('Implementing the "%s::unserialize()" method is deprecated since Symfony 4.3, store all the serialized state in the "data" property instead.', $c), \E_USER_DEPRECATED);
             $this->unserialize($this->data);
         }
diff --git a/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php b/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php
@@ -184,7 +184,7 @@ public function __wakeup()
         $fileLinkFormat = array_pop($this->data);
         $this->dataCount = \count($this->data);
 
-        self::__construct($this->stopwatch, $fileLinkFormat, $charset);
+        self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
     }
 
     public function getDumpsCount()
diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php
@@ -920,6 +920,10 @@ public function __sleep()
 
     public function __wakeup()
     {
+        if (\is_object($this->environment) || \is_object($this->debug)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
+
         if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'serialize'))->getDeclaringClass()->name) {
             @trigger_error(sprintf('Implementing the "%s::serialize()" method is deprecated since Symfony 4.3.', $c), \E_USER_DEPRECATED);
             $this->unserialize($this->serialized);
diff --git a/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php b/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php
@@ -35,6 +35,16 @@ class Connection extends AbstractConnection
     /** @var resource */
     private $connection;
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->disconnect();
diff --git a/src/Symfony/Component/Ldap/Adapter/ExtLdap/Query.php b/src/Symfony/Component/Ldap/Adapter/ExtLdap/Query.php
@@ -38,6 +38,16 @@ public function __construct(Connection $connection, string $dn, string $query, a
         parent::__construct($connection, $dn, $query, $options);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $con = $this->connection->getResource();
diff --git a/src/Symfony/Component/Lock/Lock.php b/src/Symfony/Component/Lock/Lock.php
@@ -50,6 +50,16 @@ public function __construct(Key $key, PersistingStoreInterface $store, float $tt
         $this->logger = new NullLogger();
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Automatically releases the underlying lock when the object is destructed.
      */
diff --git a/src/Symfony/Component/Process/Pipes/UnixPipes.php b/src/Symfony/Component/Process/Pipes/UnixPipes.php
@@ -35,6 +35,16 @@ public function __construct(?bool $ttyMode, bool $ptyMode, $input, bool $haveRea
         parent::__construct($input);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->close();
diff --git a/src/Symfony/Component/Process/Pipes/WindowsPipes.php b/src/Symfony/Component/Process/Pipes/WindowsPipes.php
@@ -88,6 +88,16 @@ public function __construct($input, bool $haveReadSupport)
         parent::__construct($input);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->close();
diff --git a/src/Symfony/Component/Process/Process.php b/src/Symfony/Component/Process/Process.php
@@ -198,6 +198,16 @@ public static function fromShellCommandline(string $command, string $cwd = null,
         return $process;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->stop(0);
diff --git a/src/Symfony/Component/Routing/Loader/Configurator/CollectionConfigurator.php b/src/Symfony/Component/Routing/Loader/Configurator/CollectionConfigurator.php
@@ -36,6 +36,16 @@ public function __construct(RouteCollection $parent, string $name, self $parentC
         $this->parentPrefixes = $parentPrefixes;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         if (null === $this->prefixes) {
diff --git a/src/Symfony/Component/Routing/Loader/Configurator/ImportConfigurator.php b/src/Symfony/Component/Routing/Loader/Configurator/ImportConfigurator.php
@@ -30,6 +30,16 @@ public function __construct(RouteCollection $parent, RouteCollection $route)
         $this->route = $route;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->parent->addCollection($this->route);

Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,12 @@ public function __sleep(): array`
`87`	`87`
`88`	`88`	`public function __wakeup()`
`89`	`89`	`{`
	`90`	`+ foreach ($this as $k => $v) {`
	`91`	`+ if (\is_object($v)) {`
	`92`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`93`	`+ }`
	`94`	`+ }`
	`95`	`+`
`90`	`96`	`$this->__construct($this->varDir, $this->testCase, $this->rootConfig, $this->environment, $this->debug);`
`91`	`97`	`}`
`92`	`98`
Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,10 @@ public function __sleep()`
`123`	`123`	`public function __wakeup()`
`124`	`124`	`{`
`125`	`125`	`if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'unserialize'))->getDeclaringClass()->name) {`
	`126`	`+ if (\is_object($this->data)) {`
	`127`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`128`	`+ }`
	`129`	`+`
`126`	`130`	`@trigger_error(sprintf('Implementing the "%s::unserialize()" method is deprecated since Symfony 4.3, store all the serialized state in the "data" property instead.', $c), \E_USER_DEPRECATED);`
`127`	`131`	`$this->unserialize($this->data);`
`128`	`132`	`}`
Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ public function __wakeup()`
`184`	`184`	`$fileLinkFormat = array_pop($this->data);`
`185`	`185`	`$this->dataCount = \count($this->data);`
`186`	`186`
`187`		`- self::__construct($this->stopwatch, $fileLinkFormat, $charset);`
	`187`	`+ self::__construct($this->stopwatch, \is_string($fileLinkFormat) \|\| $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);`
`188`	`188`	`}`
`189`	`189`
`190`	`190`	`public function getDumpsCount()`