Closed
Description
Symfony version(s) affected
5.4
Description
When parmeter container.dumper.inline_class_loader is enabled, it will hardwire also Polyfill interfaces like Stringable.
protected function getSecrets_VaultService()
{
include_once \dirname(__DIR__, 4).'/vendor/symfony/framework-bundle/Secrets/AbstractVault.php';
include_once \dirname(__DIR__, 4).'/vendor/symfony/dependency-injection/EnvVarLoaderInterface.php';
include_once \dirname(__DIR__, 4).'/vendor/symfony/framework-bundle/Secrets/SodiumVault.php';
include_once \dirname(__DIR__, 4).'/vendor/symfony/polyfill-php80/Resources/stubs/Stringable.php';
include_once \dirname(__DIR__, 4).'/vendor/symfony/string/LazyString.php';
return $this->privates['secrets.vault'] = new \Symfony\Bundle\FrameworkBundle\Secrets\SodiumVault((\dirname(__DIR__, 4).'/config/secrets/'.$this->getEnv('string:default:kernel.environment:APP_RUNTIME_ENV')), \Symfony\Component\String\LazyString::fromCallable(\Closure::fromCallable([0 => $this, 1 => 'getEnv']), 'base64:default::SYMFONY_DECRYPTION_SECRET'));
}
How to reproduce
- Enable that Parameter
- Use the interface BEFORE using the container
- Get the service (looks like symfony secret vault service)
- PHP Boom as the interface is already defined
Possible Solution
Create a blacklist of which classes should not be included there
Additional Context
No response