NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

Commitb4357d7

committed

bug#30006 [Security] don't do nested calls to serialize() (nicolas-grekas, Renan)

This PR was merged into the 3.4 branch.Discussion----------[Security] don't do nested calls to serialize()| Q | A| ------------- | ---| Branch? | 3.4| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets |#29951| License | MIT| Doc PR | n/aThe problem (originally reported as `Symfony\Component\Security\Core\Authentication\Token\AbstractToken` issue), may occur also in classes extending `Symfony\Component\Security\Core\Exception\AuthenticationException`Tasks:- [x] Skip native serializer (workaround itself)- [x] Token test- [x] Exception testCommits-------10256fc skip native serialize among child and parent serializable objects41000f1 [Security] dont do nested calls to serialize()

2 parents957b477 +10256fc commitb4357d7Copy full SHA for b4357d7

File tree

12 files changed

+91

-43

lines changed

src/Symfony/Component/Security
- Core
  - Authentication/Token
  - Exception
  - Tests
    - Authentication/Token
      - AbstractTokenTest.php
    - Exception
      - CustomUserMessageAuthenticationExceptionTest.php
- Guard/Token
  - PostAuthenticationGuardToken.php

12 files changed

+91

-43

lines changed

`‎src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php‎`

Lines changed: 17 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -137,22 +137,17 @@ public function eraseCredentials()`
`137`	`137`	`*/`
`138`	`138`	`publicfunctionserialize()`
`139`	`139`	`{`
`140`		`-returnserialize(`
`141`		`- [`
`142`		`-\is_object($this->user) ?clone$this->user :$this->user,`
`143`		`-$this->authenticated,`
`144`		`-array_map(function ($role) {returnclone$role; },$this->roles),`
`145`		`-$this->attributes,`
`146`		`- ]`
`147`		`- );`
	`140`	`+$serialized = [$this->user,$this->authenticated,$this->roles,$this->attributes];`
	`141`	`+`
	`142`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`148`	`143`	`}`
`149`	`144`
`150`	`145`	`/**`
`151`	`146`	`* {@inheritdoc}`
`152`	`147`	`*/`
`153`	`148`	`publicfunctionunserialize($serialized)`
`154`	`149`	`{`
`155`		`-list($this->user,$this->authenticated,$this->roles,$this->attributes) =unserialize($serialized);`
	`150`	`+list($this->user,$this->authenticated,$this->roles,$this->attributes) =\is_array($serialized) ?$serialized :unserialize($serialized);`
`156`	`151`	`}`
`157`	`152`
`158`	`153`	`/**`
`@@ -232,6 +227,19 @@ public function __toString()`
`232`	`227`	`returnsprintf('%s(user="%s", authenticated=%s, roles="%s")',$class,$this->getUsername(),json_encode($this->authenticated),implode(',',$roles));`
`233`	`228`	`}`
`234`	`229`
	`230`	`+/**`
	`231`	`+ * @internal`
	`232`	`+ */`
	`233`	`+protectedfunctiondoSerialize($serialized,$isCalledFromOverridingMethod)`
	`234`	`+ {`
	`235`	`+if (null ===$isCalledFromOverridingMethod) {`
	`236`	`+$trace =debug_backtrace(DEBUG_BACKTRACE_PROVIDE_OBJECT,3);`
	`237`	`+$isCalledFromOverridingMethod =isset($trace[2]['function'],$trace[2]['object']) &&'serialize' ===$trace[2]['function'] &&$this ===$trace[2]['object'];`
	`238`	`+ }`
	`239`	`+`
	`240`	`+return$isCalledFromOverridingMethod ?$serialized :serialize($serialized);`
	`241`	`+ }`
	`242`	`+`
`235`	`243`	`privatefunctionhasUserChanged(UserInterface$user)`
`236`	`244`	`{`
`237`	`245`	`if (!($this->userinstanceof UserInterface)) {`

`‎src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php‎`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -59,15 +59,17 @@ public function getSecret()`
`59`	`59`	`*/`
`60`	`60`	`publicfunctionserialize()`
`61`	`61`	`{`
`62`		`-returnserialize([$this->secret,parent::serialize()]);`
	`62`	`+$serialized = [$this->secret,parent::serialize(true)];`
	`63`	`+`
	`64`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`63`	`65`	`}`
`64`	`66`
`65`	`67`	`/**`
`66`	`68`	`* {@inheritdoc}`
`67`	`69`	`*/`
`68`	`70`	`publicfunctionunserialize($serialized)`
`69`	`71`	`{`
`70`		`-list($this->secret,$parentStr) =unserialize($serialized);`
	`72`	`+list($this->secret,$parentStr) =\is_array($serialized) ?$serialized :unserialize($serialized);`
`71`	`73`	`parent::unserialize($parentStr);`
`72`	`74`	`}`
`73`	`75`	`}`

`‎src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php‎`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -79,15 +79,17 @@ public function eraseCredentials()`
`79`	`79`	`*/`
`80`	`80`	`publicfunctionserialize()`
`81`	`81`	`{`
`82`		`-returnserialize([$this->credentials,$this->providerKey,parent::serialize()]);`
	`82`	`+$serialized = [$this->credentials,$this->providerKey,parent::serialize(true)];`
	`83`	`+`
	`84`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`83`	`85`	`}`
`84`	`86`
`85`	`87`	`/**`
`86`	`88`	`* {@inheritdoc}`
`87`	`89`	`*/`
`88`	`90`	`publicfunctionunserialize($str)`
`89`	`91`	`{`
`90`		`-list($this->credentials,$this->providerKey,$parentStr) =unserialize($str);`
	`92`	`+list($this->credentials,$this->providerKey,$parentStr) =\is_array($str) ?$str :unserialize($str);`
`91`	`93`	`parent::unserialize($parentStr);`
`92`	`94`	`}`
`93`	`95`	`}`

`‎src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php‎`

Lines changed: 4 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -94,19 +94,17 @@ public function getCredentials()`
`94`	`94`	`*/`
`95`	`95`	`publicfunctionserialize()`
`96`	`96`	`{`
`97`		`-returnserialize([`
`98`		`-$this->secret,`
`99`		`-$this->providerKey,`
`100`		`-parent::serialize(),`
`101`		`- ]);`
	`97`	`+$serialized = [$this->secret,$this->providerKey,parent::serialize(true)];`
	`98`	`+`
	`99`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`102`	`100`	`}`
`103`	`101`
`104`	`102`	`/**`
`105`	`103`	`* {@inheritdoc}`
`106`	`104`	`*/`
`107`	`105`	`publicfunctionunserialize($serialized)`
`108`	`106`	`{`
`109`		`-list($this->secret,$this->providerKey,$parentStr) =unserialize($serialized);`
	`107`	`+list($this->secret,$this->providerKey,$parentStr) =\is_array($serialized) ?$serialized :unserialize($serialized);`
`110`	`108`	`parent::unserialize($parentStr);`
`111`	`109`	`}`
`112`	`110`	`}`

`‎src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php‎`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -91,15 +91,17 @@ public function eraseCredentials()`
`91`	`91`	`*/`
`92`	`92`	`publicfunctionserialize()`
`93`	`93`	`{`
`94`		`-returnserialize([$this->credentials,$this->providerKey,parent::serialize()]);`
	`94`	`+$serialized = [$this->credentials,$this->providerKey,parent::serialize(true)];`
	`95`	`+`
	`96`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`95`	`97`	`}`
`96`	`98`
`97`	`99`	`/**`
`98`	`100`	`* {@inheritdoc}`
`99`	`101`	`*/`
`100`	`102`	`publicfunctionunserialize($serialized)`
`101`	`103`	`{`
`102`		`-list($this->credentials,$this->providerKey,$parentStr) =unserialize($serialized);`
	`104`	`+list($this->credentials,$this->providerKey,$parentStr) =\is_array($serialized) ?$serialized :unserialize($serialized);`
`103`	`105`	`parent::unserialize($parentStr);`
`104`	`106`	`}`
`105`	`107`	`}`

`‎src/Symfony/Component/Security/Core/Exception/AccountStatusException.php‎`

Lines changed: 4 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,18 +44,17 @@ public function setUser(UserInterface $user)`
`44`	`44`	`*/`
`45`	`45`	`publicfunctionserialize()`
`46`	`46`	`{`
`47`		`-returnserialize([`
`48`		`-$this->user,`
`49`		`-parent::serialize(),`
`50`		`- ]);`
	`47`	`+$serialized = [$this->user,parent::serialize(true)];`
	`48`	`+`
	`49`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`51`	`50`	`}`
`52`	`51`
`53`	`52`	`/**`
`54`	`53`	`* {@inheritdoc}`
`55`	`54`	`*/`
`56`	`55`	`publicfunctionunserialize($str)`
`57`	`56`	`{`
`58`		`-list($this->user,$parentData) =unserialize($str);`
	`57`	`+list($this->user,$parentData) =\is_array($str) ?$str :unserialize($str);`
`59`	`58`
`60`	`59`	`parent::unserialize($parentData);`
`61`	`60`	`}`

`‎src/Symfony/Component/Security/Core/Exception/AuthenticationException.php‎`

Lines changed: 21 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -38,15 +38,33 @@ public function setToken(TokenInterface $token)`
`38`	`38`	`$this->token =$token;`
`39`	`39`	`}`
`40`	`40`
	`41`	`+/**`
	`42`	`+ * {@inheritdoc}`
	`43`	`+ */`
`41`	`44`	`publicfunctionserialize()`
`42`	`45`	`{`
`43`		`-returnserialize([`
	`46`	`+$serialized =[`
`44`	`47`	`$this->token,`
`45`	`48`	`$this->code,`
`46`	`49`	`$this->message,`
`47`	`50`	`$this->file,`
`48`	`51`	`$this->line,`
`49`		`- ]);`
	`52`	`+ ];`
	`53`	`+`
	`54`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
	`55`	`+ }`
	`56`	`+`
	`57`	`+/**`
	`58`	`+ * @internal`
	`59`	`+ */`
	`60`	`+protectedfunctiondoSerialize($serialized,$isCalledFromOverridingMethod)`
	`61`	`+ {`
	`62`	`+if (null ===$isCalledFromOverridingMethod) {`
	`63`	`+$trace =debug_backtrace(DEBUG_BACKTRACE_PROVIDE_OBJECT,3);`
	`64`	`+$isCalledFromOverridingMethod =isset($trace[2]['function'],$trace[2]['object']) &&'serialize' ===$trace[2]['function'] &&$this ===$trace[2]['object'];`
	`65`	`+ }`
	`66`	`+`
	`67`	`+return$isCalledFromOverridingMethod ?$serialized :serialize($serialized);`
`50`	`68`	`}`
`51`	`69`
`52`	`70`	`publicfunctionunserialize($str)`
`@@ -57,7 +75,7 @@ public function unserialize($str)`
`57`	`75`	`$this->message,`
`58`	`76`	`$this->file,`
`59`	`77`	`$this->line`
`60`		`- ) =unserialize($str);`
	`78`	`+ ) =\is_array($str) ?$str :unserialize($str);`
`61`	`79`	`}`
`62`	`80`
`63`	`81`	`/**`

`‎src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php‎`

Lines changed: 4 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -60,19 +60,17 @@ public function getMessageData()`
`60`	`60`	`*/`
`61`	`61`	`publicfunctionserialize()`
`62`	`62`	`{`
`63`		`-returnserialize([`
`64`		`-parent::serialize(),`
`65`		`-$this->messageKey,`
`66`		`-$this->messageData,`
`67`		`- ]);`
	`63`	`+returnserialize([parent::serialize(true),$this->messageKey,$this->messageData]);`
	`64`	`+`
	`65`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`68`	`66`	`}`
`69`	`67`
`70`	`68`	`/**`
`71`	`69`	`* {@inheritdoc}`
`72`	`70`	`*/`
`73`	`71`	`publicfunctionunserialize($str)`
`74`	`72`	`{`
`75`		`-list($parentData,$this->messageKey,$this->messageData) =unserialize($str);`
	`73`	`+list($parentData,$this->messageKey,$this->messageData) =\is_array($str) ?$str :unserialize($str);`
`76`	`74`
`77`	`75`	`parent::unserialize($parentData);`
`78`	`76`	`}`

`‎src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php‎`

Lines changed: 4 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -54,18 +54,17 @@ public function setUsername($username)`
`54`	`54`	`*/`
`55`	`55`	`publicfunctionserialize()`
`56`	`56`	`{`
`57`		`-returnserialize([`
`58`		`-$this->username,`
`59`		`-parent::serialize(),`
`60`		`- ]);`
	`57`	`+$serialized = [$this->username,parent::serialize(true)];`
	`58`	`+`
	`59`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`61`	`60`	`}`
`62`	`61`
`63`	`62`	`/**`
`64`	`63`	`* {@inheritdoc}`
`65`	`64`	`*/`
`66`	`65`	`publicfunctionunserialize($str)`
`67`	`66`	`{`
`68`		`-list($this->username,$parentData) =unserialize($str);`
	`67`	`+list($this->username,$parentData) =\is_array($str) ?$str :unserialize($str);`
`69`	`68`
`70`	`69`	`parent::unserialize($parentData);`
`71`	`70`	`}`

`‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php‎`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -43,9 +43,14 @@ public function __construct($user, array $roles = [])`
`43`	`43`	`$this->setUser($user);`
`44`	`44`	`}`
`45`	`45`
	`46`	`+/**`
	`47`	`+ * {@inheritdoc}`
	`48`	`+ */`
`46`	`49`	`publicfunctionserialize()`
`47`	`50`	`{`
`48`		`-returnserialize([$this->credentials,parent::serialize()]);`
	`51`	`+$serialized = [$this->credentials,parent::serialize(true)];`
	`52`	`+`
	`53`	`+return$this->doSerialize($serialized,\func_num_args() ?\func_get_arg(0) :null);`
`49`	`54`	`}`
`50`	`55`
`51`	`56`	`publicfunctionunserialize($serialized)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commitb4357d7

File tree

12 files changed

12 files changed

`‎src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php‎`

`‎src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php‎`

`‎src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php‎`

`‎src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php‎`

`‎src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php‎`

`‎src/Symfony/Component/Security/Core/Exception/AccountStatusException.php‎`

`‎src/Symfony/Component/Security/Core/Exception/AuthenticationException.php‎`

`‎src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php‎`

`‎src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php‎`

`‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php‎`

0 commit comments