Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e6cfa09

Browse files
nicolas-grekasnicolas-grekas
committed
bug #39797 Dont allow unserializing classes with a destructor (jderusse)
This PR was merged into the 4.4 branch. Discussion ---------- Dont allow unserializing classes with a destructor | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Prevent destructors with side-effects from being unserialized Commits ------- facc095 Dont allow unserializing classes with a destructor
2 parents 6eff263 + facc095 commit e6cfa09

File tree

14 files changed

+115
-1
lines changed

14 files changed

+115
-1
lines changed

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,12 @@ public function __sleep(): array
8787

8888
public function __wakeup()
8989
{
90+
foreach ($this as $k => $v) {
91+
if (\is_object($v)) {
92+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
93+
}
94+
}
95+
9096
$this->__construct($this->varDir, $this->testCase, $this->rootConfig, $this->environment, $this->debug);
9197
}
9298

src/Symfony/Component/DependencyInjection/Loader/Configurator/AbstractConfigurator.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,16 @@ public function __call($method, $args)
3434
throw new \BadMethodCallException(sprintf('Call to undefined method "%s::%s()".', static::class, $method));
3535
}
3636

37+
public function __sleep()
38+
{
39+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
40+
}
41+
42+
public function __wakeup()
43+
{
44+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
45+
}
46+
3747
/**
3848
* Checks that a value is valid, optionally replacing Definition and Reference configurators by their configure value.
3949
*

src/Symfony/Component/Form/Util/OrderedHashMapIterator.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,16 @@ public function __construct(array &$elements, array &$orderedKeys, array &$manag
7676
$this->managedCursors[$this->cursorId] = &$this->cursor;
7777
}
7878

79+
public function __sleep()
80+
{
81+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
82+
}
83+
84+
public function __wakeup()
85+
{
86+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
87+
}
88+
7989
/**
8090
* Removes the iterator's cursors from the managed cursors of the
8191
* corresponding {@link OrderedHashMap} instance.

src/Symfony/Component/HttpKernel/DataCollector/DataCollector.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,10 @@ public function __sleep()
123123
public function __wakeup()
124124
{
125125
if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'unserialize'))->getDeclaringClass()->name) {
126+
if (\is_object($this->data)) {
127+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
128+
}
129+
126130
@trigger_error(sprintf('Implementing the "%s::unserialize()" method is deprecated since Symfony 4.3, store all the serialized state in the "data" property instead.', $c), \E_USER_DEPRECATED);
127131
$this->unserialize($this->data);
128132
}

src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -184,7 +184,7 @@ public function __wakeup()
184184
$fileLinkFormat = array_pop($this->data);
185185
$this->dataCount = \count($this->data);
186186

187-
self::__construct($this->stopwatch, $fileLinkFormat, $charset);
187+
self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
188188
}
189189

190190
public function getDumpsCount()

src/Symfony/Component/HttpKernel/Kernel.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -920,6 +920,10 @@ public function __sleep()
920920

921921
public function __wakeup()
922922
{
923+
if (\is_object($this->environment) || \is_object($this->debug)) {
924+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
925+
}
926+
923927
if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'serialize'))->getDeclaringClass()->name) {
924928
@trigger_error(sprintf('Implementing the "%s::serialize()" method is deprecated since Symfony 4.3.', $c), \E_USER_DEPRECATED);
925929
$this->unserialize($this->serialized);

src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,16 @@ class Connection extends AbstractConnection
3535
/** @var resource */
3636
private $connection;
3737

38+
public function __sleep()
39+
{
40+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
41+
}
42+
43+
public function __wakeup()
44+
{
45+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
46+
}
47+
3848
public function __destruct()
3949
{
4050
$this->disconnect();

src/Symfony/Component/Ldap/Adapter/ExtLdap/Query.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,16 @@ public function __construct(Connection $connection, string $dn, string $query, a
3838
parent::__construct($connection, $dn, $query, $options);
3939
}
4040

41+
public function __sleep()
42+
{
43+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
44+
}
45+
46+
public function __wakeup()
47+
{
48+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
49+
}
50+
4151
public function __destruct()
4252
{
4353
$con = $this->connection->getResource();

src/Symfony/Component/Lock/Lock.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,16 @@ public function __construct(Key $key, PersistingStoreInterface $store, float $tt
5050
$this->logger = new NullLogger();
5151
}
5252

53+
public function __sleep()
54+
{
55+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
56+
}
57+
58+
public function __wakeup()
59+
{
60+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
61+
}
62+
5363
/**
5464
* Automatically releases the underlying lock when the object is destructed.
5565
*/

src/Symfony/Component/Process/Pipes/UnixPipes.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,16 @@ public function __construct(?bool $ttyMode, bool $ptyMode, $input, bool $haveRea
3535
parent::__construct($input);
3636
}
3737

38+
public function __sleep()
39+
{
40+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
41+
}
42+
43+
public function __wakeup()
44+
{
45+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
46+
}
47+
3848
public function __destruct()
3949
{
4050
$this->close();

src/Symfony/Component/Process/Pipes/WindowsPipes.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,16 @@ public function __construct($input, bool $haveReadSupport)
8888
parent::__construct($input);
8989
}
9090

91+
public function __sleep()
92+
{
93+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
94+
}
95+
96+
public function __wakeup()
97+
{
98+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
99+
}
100+
91101
public function __destruct()
92102
{
93103
$this->close();

src/Symfony/Component/Process/Process.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,16 @@ public static function fromShellCommandline(string $command, string $cwd = null,
198198
return $process;
199199
}
200200

201+
public function __sleep()
202+
{
203+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
204+
}
205+
206+
public function __wakeup()
207+
{
208+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
209+
}
210+
201211
public function __destruct()
202212
{
203213
$this->stop(0);

src/Symfony/Component/Routing/Loader/Configurator/CollectionConfigurator.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,16 @@ public function __construct(RouteCollection $parent, string $name, self $parentC
3636
$this->parentPrefixes = $parentPrefixes;
3737
}
3838

39+
public function __sleep()
40+
{
41+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
42+
}
43+
44+
public function __wakeup()
45+
{
46+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
47+
}
48+
3949
public function __destruct()
4050
{
4151
if (null === $this->prefixes) {

src/Symfony/Component/Routing/Loader/Configurator/ImportConfigurator.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,16 @@ public function __construct(RouteCollection $parent, RouteCollection $route)
3030
$this->route = $route;
3131
}
3232

33+
public function __sleep()
34+
{
35+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
36+
}
37+
38+
public function __wakeup()
39+
{
40+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
41+
}
42+
3343
public function __destruct()
3444
{
3545
$this->parent->addCollection($this->route);

0 commit comments

Comments
 (0)