Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit b4357d7

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #30006 [Security] don't do nested calls to serialize() (nicolas-grekas, Renan)
This PR was merged into the 3.4 branch. Discussion ---------- [Security] don't do nested calls to serialize() | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #29951 | License | MIT | Doc PR | n/a The problem (originally reported as `Symfony\Component\Security\Core\Authentication\Token\AbstractToken` issue), may occur also in classes extending `Symfony\Component\Security\Core\Exception\AuthenticationException` Tasks: - [x] Skip native serializer (workaround itself) - [x] Token test - [x] Exception test Commits ------- 10256fc skip native serialize among child and parent serializable objects 41000f1 [Security] dont do nested calls to serialize()
2 parents 957b477 + 10256fc commit b4357d7
Copy full SHA for b4357d7
Expand file treeCollapse file tree

12 files changed

+91
-43
lines changed

‎src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
+17-9Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -137,22 +137,17 @@ public function eraseCredentials()
137137
*/
138138
public function serialize()
139139
{
140-
return serialize(
141-
[
142-
\is_object($this->user) ? clone $this->user : $this->user,
143-
$this->authenticated,
144-
array_map(function ($role) { return clone $role; }, $this->roles),
145-
$this->attributes,
146-
]
147-
);
140+
$serialized = [$this->user, $this->authenticated, $this->roles, $this->attributes];
141+
142+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
148143
}
149144

150145
/**
151146
* {@inheritdoc}
152147
*/
153148
public function unserialize($serialized)
154149
{
155-
list($this->user, $this->authenticated, $this->roles, $this->attributes) = unserialize($serialized);
150+
list($this->user, $this->authenticated, $this->roles, $this->attributes) = \is_array($serialized) ? $serialized : unserialize($serialized);
156151
}
157152

158153
/**
@@ -232,6 +227,19 @@ public function __toString()
232227
return sprintf('%s(user="%s", authenticated=%s, roles="%s")', $class, $this->getUsername(), json_encode($this->authenticated), implode(', ', $roles));
233228
}
234229

230+
/**
231+
* @internal
232+
*/
233+
protected function doSerialize($serialized, $isCalledFromOverridingMethod)
234+
{
235+
if (null === $isCalledFromOverridingMethod) {
236+
$trace = debug_backtrace(DEBUG_BACKTRACE_PROVIDE_OBJECT, 3);
237+
$isCalledFromOverridingMethod = isset($trace[2]['function'], $trace[2]['object']) && 'serialize' === $trace[2]['function'] && $this === $trace[2]['object'];
238+
}
239+
240+
return $isCalledFromOverridingMethod ? $serialized : serialize($serialized);
241+
}
242+
235243
private function hasUserChanged(UserInterface $user)
236244
{
237245
if (!($this->user instanceof UserInterface)) {

‎src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php
+4-2Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -59,15 +59,17 @@ public function getSecret()
5959
*/
6060
public function serialize()
6161
{
62-
return serialize([$this->secret, parent::serialize()]);
62+
$serialized = [$this->secret, parent::serialize(true)];
63+
64+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
6365
}
6466

6567
/**
6668
* {@inheritdoc}
6769
*/
6870
public function unserialize($serialized)
6971
{
70-
list($this->secret, $parentStr) = unserialize($serialized);
72+
list($this->secret, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
7173
parent::unserialize($parentStr);
7274
}
7375
}

‎src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
+4-2Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -79,15 +79,17 @@ public function eraseCredentials()
7979
*/
8080
public function serialize()
8181
{
82-
return serialize([$this->credentials, $this->providerKey, parent::serialize()]);
82+
$serialized = [$this->credentials, $this->providerKey, parent::serialize(true)];
83+
84+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
8385
}
8486

8587
/**
8688
* {@inheritdoc}
8789
*/
8890
public function unserialize($str)
8991
{
90-
list($this->credentials, $this->providerKey, $parentStr) = unserialize($str);
92+
list($this->credentials, $this->providerKey, $parentStr) = \is_array($str) ? $str : unserialize($str);
9193
parent::unserialize($parentStr);
9294
}
9395
}

‎src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
+4-6Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -94,19 +94,17 @@ public function getCredentials()
9494
*/
9595
public function serialize()
9696
{
97-
return serialize([
98-
$this->secret,
99-
$this->providerKey,
100-
parent::serialize(),
101-
]);
97+
$serialized = [$this->secret, $this->providerKey, parent::serialize(true)];
98+
99+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
102100
}
103101

104102
/**
105103
* {@inheritdoc}
106104
*/
107105
public function unserialize($serialized)
108106
{
109-
list($this->secret, $this->providerKey, $parentStr) = unserialize($serialized);
107+
list($this->secret, $this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
110108
parent::unserialize($parentStr);
111109
}
112110
}

‎src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
+4-2Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,15 +91,17 @@ public function eraseCredentials()
9191
*/
9292
public function serialize()
9393
{
94-
return serialize([$this->credentials, $this->providerKey, parent::serialize()]);
94+
$serialized = [$this->credentials, $this->providerKey, parent::serialize(true)];
95+
96+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
9597
}
9698

9799
/**
98100
* {@inheritdoc}
99101
*/
100102
public function unserialize($serialized)
101103
{
102-
list($this->credentials, $this->providerKey, $parentStr) = unserialize($serialized);
104+
list($this->credentials, $this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
103105
parent::unserialize($parentStr);
104106
}
105107
}

‎src/Symfony/Component/Security/Core/Exception/AccountStatusException.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Exception/AccountStatusException.php
+4-5Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -44,18 +44,17 @@ public function setUser(UserInterface $user)
4444
*/
4545
public function serialize()
4646
{
47-
return serialize([
48-
$this->user,
49-
parent::serialize(),
50-
]);
47+
$serialized = [$this->user, parent::serialize(true)];
48+
49+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
5150
}
5251

5352
/**
5453
* {@inheritdoc}
5554
*/
5655
public function unserialize($str)
5756
{
58-
list($this->user, $parentData) = unserialize($str);
57+
list($this->user, $parentData) = \is_array($str) ? $str : unserialize($str);
5958

6059
parent::unserialize($parentData);
6160
}

‎src/Symfony/Component/Security/Core/Exception/AuthenticationException.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Exception/AuthenticationException.php
+21-3Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,15 +38,33 @@ public function setToken(TokenInterface $token)
3838
$this->token = $token;
3939
}
4040

41+
/**
42+
* {@inheritdoc}
43+
*/
4144
public function serialize()
4245
{
43-
return serialize([
46+
$serialized = [
4447
$this->token,
4548
$this->code,
4649
$this->message,
4750
$this->file,
4851
$this->line,
49-
]);
52+
];
53+
54+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
55+
}
56+
57+
/**
58+
* @internal
59+
*/
60+
protected function doSerialize($serialized, $isCalledFromOverridingMethod)
61+
{
62+
if (null === $isCalledFromOverridingMethod) {
63+
$trace = debug_backtrace(DEBUG_BACKTRACE_PROVIDE_OBJECT, 3);
64+
$isCalledFromOverridingMethod = isset($trace[2]['function'], $trace[2]['object']) && 'serialize' === $trace[2]['function'] && $this === $trace[2]['object'];
65+
}
66+
67+
return $isCalledFromOverridingMethod ? $serialized : serialize($serialized);
5068
}
5169

5270
public function unserialize($str)
@@ -57,7 +75,7 @@ public function unserialize($str)
5775
$this->message,
5876
$this->file,
5977
$this->line
60-
) = unserialize($str);
78+
) = \is_array($str) ? $str : unserialize($str);
6179
}
6280

6381
/**

‎src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php
+4-6Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -60,19 +60,17 @@ public function getMessageData()
6060
*/
6161
public function serialize()
6262
{
63-
return serialize([
64-
parent::serialize(),
65-
$this->messageKey,
66-
$this->messageData,
67-
]);
63+
return serialize([parent::serialize(true), $this->messageKey, $this->messageData]);
64+
65+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
6866
}
6967

7068
/**
7169
* {@inheritdoc}
7270
*/
7371
public function unserialize($str)
7472
{
75-
list($parentData, $this->messageKey, $this->messageData) = unserialize($str);
73+
list($parentData, $this->messageKey, $this->messageData) = \is_array($str) ? $str : unserialize($str);
7674

7775
parent::unserialize($parentData);
7876
}

‎src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php
+4-5Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -54,18 +54,17 @@ public function setUsername($username)
5454
*/
5555
public function serialize()
5656
{
57-
return serialize([
58-
$this->username,
59-
parent::serialize(),
60-
]);
57+
$serialized = [$this->username, parent::serialize(true)];
58+
59+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
6160
}
6261

6362
/**
6463
* {@inheritdoc}
6564
*/
6665
public function unserialize($str)
6766
{
68-
list($this->username, $parentData) = unserialize($str);
67+
list($this->username, $parentData) = \is_array($str) ? $str : unserialize($str);
6968

7069
parent::unserialize($parentData);
7170
}

‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php
+6-1Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,14 @@ public function __construct($user, array $roles = [])
4343
$this->setUser($user);
4444
}
4545

46+
/**
47+
* {@inheritdoc}
48+
*/
4649
public function serialize()
4750
{
48-
return serialize([$this->credentials, parent::serialize()]);
51+
$serialized = [$this->credentials, parent::serialize(true)];
52+
53+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
4954
}
5055

5156
public function unserialize($serialized)

‎src/Symfony/Component/Security/Core/Tests/Exception/CustomUserMessageAuthenticationExceptionTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Exception/CustomUserMessageAuthenticationExceptionTest.php
+15Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
namespace Symfony\Component\Security\Core\Tests\Exception;
1313

1414
use PHPUnit\Framework\TestCase;
15+
use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
1516
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
1617

1718
class CustomUserMessageAuthenticationExceptionTest extends TestCase
@@ -24,4 +25,18 @@ public function testConstructWithSAfeMessage()
2425
$this->assertEquals(['foo' => true], $e->getMessageData());
2526
$this->assertEquals('SAFE MESSAGE', $e->getMessage());
2627
}
28+
29+
public function testSharedSerializedData()
30+
{
31+
$token = new AnonymousToken('foo', 'bar');
32+
33+
$exception = new CustomUserMessageAuthenticationException();
34+
$exception->setToken($token);
35+
$exception->setSafeMessage('message', ['token' => $token]);
36+
37+
$processed = unserialize(serialize($exception));
38+
$this->assertEquals($token, $processed->getToken());
39+
$this->assertEquals($token, $processed->getMessageData()['token']);
40+
$this->assertSame($processed->getToken(), $processed->getMessageData()['token']);
41+
}
2742
}

‎src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php
+4-2Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,15 +76,17 @@ public function getProviderKey()
7676
*/
7777
public function serialize()
7878
{
79-
return serialize([$this->providerKey, parent::serialize()]);
79+
$serialized = [$this->providerKey, parent::serialize(true)];
80+
81+
return $this->doSerialize($serialized, \func_num_args() ? \func_get_arg(0) : null);
8082
}
8183

8284
/**
8385
* {@inheritdoc}
8486
*/
8587
public function unserialize($serialized)
8688
{
87-
list($this->providerKey, $parentStr) = unserialize($serialized);
89+
list($this->providerKey, $parentStr) = \is_array($serialized) ? $serialized : unserialize($serialized);
8890
parent::unserialize($parentStr);
8991
}
9092
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.