Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit e6cfa09

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #39797 Dont allow unserializing classes with a destructor (jderusse)
This PR was merged into the 4.4 branch. Discussion ---------- Dont allow unserializing classes with a destructor | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Prevent destructors with side-effects from being unserialized Commits ------- facc095 Dont allow unserializing classes with a destructor
2 parents 6eff263 + facc095 commit e6cfa09
Copy full SHA for e6cfa09

File tree

14 files changed

+115
-1
lines changed
Filter options

14 files changed

+115
-1
lines changed

‎src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php
+6Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,12 @@ public function __sleep(): array
8787

8888
public function __wakeup()
8989
{
90+
foreach ($this as $k => $v) {
91+
if (\is_object($v)) {
92+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
93+
}
94+
}
95+
9096
$this->__construct($this->varDir, $this->testCase, $this->rootConfig, $this->environment, $this->debug);
9197
}
9298

‎src/Symfony/Component/DependencyInjection/Loader/Configurator/AbstractConfigurator.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/DependencyInjection/Loader/Configurator/AbstractConfigurator.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,16 @@ public function __call($method, $args)
3434
throw new \BadMethodCallException(sprintf('Call to undefined method "%s::%s()".', static::class, $method));
3535
}
3636

37+
public function __sleep()
38+
{
39+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
40+
}
41+
42+
public function __wakeup()
43+
{
44+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
45+
}
46+
3747
/**
3848
* Checks that a value is valid, optionally replacing Definition and Reference configurators by their configure value.
3949
*

‎src/Symfony/Component/Form/Util/OrderedHashMapIterator.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Form/Util/OrderedHashMapIterator.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,16 @@ public function __construct(array &$elements, array &$orderedKeys, array &$manag
7676
$this->managedCursors[$this->cursorId] = &$this->cursor;
7777
}
7878

79+
public function __sleep()
80+
{
81+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
82+
}
83+
84+
public function __wakeup()
85+
{
86+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
87+
}
88+
7989
/**
8090
* Removes the iterator's cursors from the managed cursors of the
8191
* corresponding {@link OrderedHashMap} instance.

‎src/Symfony/Component/HttpKernel/DataCollector/DataCollector.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/DataCollector/DataCollector.php
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,10 @@ public function __sleep()
123123
public function __wakeup()
124124
{
125125
if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'unserialize'))->getDeclaringClass()->name) {
126+
if (\is_object($this->data)) {
127+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
128+
}
129+
126130
@trigger_error(sprintf('Implementing the "%s::unserialize()" method is deprecated since Symfony 4.3, store all the serialized state in the "data" property instead.', $c), \E_USER_DEPRECATED);
127131
$this->unserialize($this->data);
128132
}

‎src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -184,7 +184,7 @@ public function __wakeup()
184184
$fileLinkFormat = array_pop($this->data);
185185
$this->dataCount = \count($this->data);
186186

187-
self::__construct($this->stopwatch, $fileLinkFormat, $charset);
187+
self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
188188
}
189189

190190
public function getDumpsCount()

‎src/Symfony/Component/HttpKernel/Kernel.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Kernel.php
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -920,6 +920,10 @@ public function __sleep()
920920

921921
public function __wakeup()
922922
{
923+
if (\is_object($this->environment) || \is_object($this->debug)) {
924+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
925+
}
926+
923927
if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'serialize'))->getDeclaringClass()->name) {
924928
@trigger_error(sprintf('Implementing the "%s::serialize()" method is deprecated since Symfony 4.3.', $c), \E_USER_DEPRECATED);
925929
$this->unserialize($this->serialized);

‎src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,16 @@ class Connection extends AbstractConnection
3535
/** @var resource */
3636
private $connection;
3737

38+
public function __sleep()
39+
{
40+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
41+
}
42+
43+
public function __wakeup()
44+
{
45+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
46+
}
47+
3848
public function __destruct()
3949
{
4050
$this->disconnect();

‎src/Symfony/Component/Ldap/Adapter/ExtLdap/Query.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Ldap/Adapter/ExtLdap/Query.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,16 @@ public function __construct(Connection $connection, string $dn, string $query, a
3838
parent::__construct($connection, $dn, $query, $options);
3939
}
4040

41+
public function __sleep()
42+
{
43+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
44+
}
45+
46+
public function __wakeup()
47+
{
48+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
49+
}
50+
4151
public function __destruct()
4252
{
4353
$con = $this->connection->getResource();

‎src/Symfony/Component/Lock/Lock.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Lock/Lock.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,16 @@ public function __construct(Key $key, PersistingStoreInterface $store, float $tt
5050
$this->logger = new NullLogger();
5151
}
5252

53+
public function __sleep()
54+
{
55+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
56+
}
57+
58+
public function __wakeup()
59+
{
60+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
61+
}
62+
5363
/**
5464
* Automatically releases the underlying lock when the object is destructed.
5565
*/

‎src/Symfony/Component/Process/Pipes/UnixPipes.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Process/Pipes/UnixPipes.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,16 @@ public function __construct(?bool $ttyMode, bool $ptyMode, $input, bool $haveRea
3535
parent::__construct($input);
3636
}
3737

38+
public function __sleep()
39+
{
40+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
41+
}
42+
43+
public function __wakeup()
44+
{
45+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
46+
}
47+
3848
public function __destruct()
3949
{
4050
$this->close();

‎src/Symfony/Component/Process/Pipes/WindowsPipes.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Process/Pipes/WindowsPipes.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,16 @@ public function __construct($input, bool $haveReadSupport)
8888
parent::__construct($input);
8989
}
9090

91+
public function __sleep()
92+
{
93+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
94+
}
95+
96+
public function __wakeup()
97+
{
98+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
99+
}
100+
91101
public function __destruct()
92102
{
93103
$this->close();

‎src/Symfony/Component/Process/Process.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Process/Process.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,16 @@ public static function fromShellCommandline(string $command, string $cwd = null,
198198
return $process;
199199
}
200200

201+
public function __sleep()
202+
{
203+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
204+
}
205+
206+
public function __wakeup()
207+
{
208+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
209+
}
210+
201211
public function __destruct()
202212
{
203213
$this->stop(0);

‎src/Symfony/Component/Routing/Loader/Configurator/CollectionConfigurator.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Routing/Loader/Configurator/CollectionConfigurator.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,16 @@ public function __construct(RouteCollection $parent, string $name, self $parentC
3636
$this->parentPrefixes = $parentPrefixes;
3737
}
3838

39+
public function __sleep()
40+
{
41+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
42+
}
43+
44+
public function __wakeup()
45+
{
46+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
47+
}
48+
3949
public function __destruct()
4050
{
4151
if (null === $this->prefixes) {

‎src/Symfony/Component/Routing/Loader/Configurator/ImportConfigurator.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Routing/Loader/Configurator/ImportConfigurator.php
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,16 @@ public function __construct(RouteCollection $parent, RouteCollection $route)
3030
$this->route = $route;
3131
}
3232

33+
public function __sleep()
34+
{
35+
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
36+
}
37+
38+
public function __wakeup()
39+
{
40+
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
41+
}
42+
3343
public function __destruct()
3444
{
3545
$this->parent->addCollection($this->route);

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.