Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Roles are not unserialized in UsernamePasswordToken if they are references to objects in the user #14274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
toxygene opened this issue Apr 8, 2015 · 1 comment
Closed

Roles are not unserialized in UsernamePasswordToken if they are references to objects in the user #14274

toxygene opened this issue Apr 8, 2015 · 1 comment
Labels
Bug Security Status: Needs Review

Comments

@toxygene
Copy link

toxygene commented Apr 8, 2015 

$roles = [new \Symfony\Component\Security\Core\Role\Role('name')];
$user = new \Symfony\Component\Security\Core\User\User('name', 'password', $roles);
$token = new \Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken($user, 'password', 'providerKey', $user->getRoles());

$serialized = serialize($token);
$unserialized = unserialize($token);

var_dump($serialized, $token->getRoles(), $unserialized->getRoles());

/*
Output:
string(859) "C:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":771:{a:3:{i:0;s:8:"password";i:1;s:11:"providerKey";i:2;s:710:"a:4:{i:0;O:41:"Symfony\Component\Security\Core\User\User":7:{s:51:"\000Symfony\Component\Security\Core\User\User\000username";s:4:"name";s:51:"\000Symfony\Component\Security\Core\User\User\000password";s:8:"password";s:50:"\000Symfony\Component\Security\Core\User\User\000enabled";b:1;s:60:"\000Symfony\Component\Security\Core\User\User\000accountNonExpired";b:1;s:64:"\000Symfony\Component\Security\Core\User\User\000credentialsNonExpired";b:1;s:59:"\000Symfony\Component\Security\Core\User\User\000accountNonLocked";b:1;s:48:"\000Symfony\Component\Security\Core\User\User\000roles";a:1:{i:0;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"\000Symfony\Component\Security\Core\Role\Role\000role";s:4:"name";}}}i:1;b:1;i:2;a:1:{i:0;r:11;}i:3;a:0:{}}";}}"
array(1) {
  [0] =>
  class Symfony\Component\Security\Core\Role\Role#947 (1) {
    private $role =>
    string(4) "name"
  }
}
array(1) {
  [0] =>
  bool(true)
}
*/

The problem appears to be with the role object being serialized as {i:0;r:11;}. I think the issue is that the roles are serialized separately from the user, but \serialize() is still treating the role object as a reference, so on \unserialize(), the reference id doesn't exist.
@dimarick
Copy link

This happened because https://bugs.php.net/bug.php?id=65591
serialize/unserialize works incorrent when calls parent::serialize()

@eko eko mentioned this issue Aug 29, 2016
Merged
fabpot added a commit that referenced this issue Mar 22, 2017
@fabpot
bug #19778 [Security] Fixed roles serialization on token from user ob…
a6b20d1 
…ject (eko)

This PR was merged into the 2.7 branch.

Discussion
----------

[Security] Fixed roles serialization on token from user object

| Q | A |
| --- | --- |
| Branch? | 2.7 |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | #14274 |
| License | MIT |
| Doc PR | - |

This PR fixes the serialization of tokens when using `Role` objects provided from the user. Indeed, there were actually a reference issue that can causes fatal errors like the following one:

```
FatalErrorException in RoleHierarchy.php line 43:
Error: Call to a member function getRole() on string
```

Here is a small code example to reproduce and its output:

``` php
$user = new Symfony\Component\Security\Core\User\User('name', 'password', [
    new Symfony\Component\Security\Core\Role\Role('name')
]);
$token = new Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken($user, 'password', 'providerKey', $user->getRoles());

$serialized = serialize($token);
$unserialized = unserialize($serialized);

var_dump($unserialized->getRoles());
```

Before:

```
array(1) { [0]=> bool(true) }
```

After:

```
array(1) { [0]=> object(Symfony\Component\Security\Core\Role\Role)#15 (1) {["role":"Symfony\Component\Security\Core\Role\Role":private]=> string(4) "name" } }
```

Thank you

Commits
-------

dfa7f50 [Security] Fixed roles serialization on token from user object
@fabpot fabpot closed this as completed Mar 22, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fabpot @javiereguiluz @toxygene @xabbuh @dimarick @carsonbot