Dont allow unserializing classes with a destructor - 5.2

symfony · nicolas-grekas · Jan 12, 2021 · Dec 15, 2020 · Dec 15, 2020 · 98601908bb727a3b40433da8b7500d392ff7ad24
commit 98601908bb727a3b40433da8b7500d392ff7ad24
diff --git a/src/Symfony/Component/HttpClient/Response/CommonResponseTrait.php b/src/Symfony/Component/HttpClient/Response/CommonResponseTrait.php
@@ -127,6 +127,16 @@ public function toStream(bool $throw = true)
         return $stream;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Closes the response and all its network handles.
      */

diff --git a/src/Symfony/Component/HttpClient/Response/TraceableResponse.php b/src/Symfony/Component/HttpClient/Response/TraceableResponse.php
@@ -44,6 +44,16 @@ public function __construct(HttpClientInterface $client, ResponseInterface $resp
         $this->event = $event;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         try {

diff --git a/src/Symfony/Component/RateLimiter/Policy/TokenBucket.php b/src/Symfony/Component/RateLimiter/Policy/TokenBucket.php
@@ -104,6 +104,10 @@ public function __sleep(): array
      */
     public function __wakeup(): void
     {
+        if (!\is_string($this->stringRate)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
+
         $this->rate = Rate::fromString($this->stringRate);
         unset($this->stringRate);
     }