8000 minor #21090 Secure unserialize by restricting allowed classes when u… · Bilge/symfony@033c41a · GitHub
[go: up one dir, main page]
Skip to content

Commit 033c41a

Browse files
fabpotfabpot
committed
minor symfony#21090 Secure unserialize by restricting allowed classes when using PHP 7 (dbrumann)
This PR was merged into the 3.3-dev branch. Discussion ---------- Secure unserialize by restricting allowed classes when using PHP 7 | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | --- | License | MIT | Doc PR | --- While playing around with Symfony in a PHP 7.1 application I noticed a warning in how EnvParameterResoure uses unserialize. Since PHP 7.0 introduced the options argument which allows to restrict which classes can be unserialized for better security, it might make sense to use it here. As far as I can tell this is no BC break, it only provides an additional safety mechanism. Commits ------- b420181 Conditionally add options to unserialize in PHP 7.0+.
2 parents 6ea3999 + b420181 commit 033c41a

File tree

8 files changed

+41
-8
lines changed

8 files changed

+41
-8
lines changed

src/Symfony/Bridge/Twig/DataCollector/TwigDataCollector.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,11 @@ public function getHtmlCallGraph()
9393
public function getProfile()
9494
{
9595
if (null === $this->profile) {
96-
$this->profile = unserialize($this->data['profile']);
96+
if (PHP_VERSION_ID >= 70000) {
97+
$this->profile = unserialize($this->data['profile'], array('allowed_classes' => array('Twig_Profiler_Profile')));
98+
} else {
99+
$this->profile = unserialize($this->data['profile']);
100+
}
97101
}
98102

99103
return $this->profile;

src/Symfony/Component/DependencyInjection/Config/AutowireServiceResource.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,11 @@ public function serialize()
6565

6666
public function unserialize($serialized)
6767
{
68-
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized);
68+
if (PHP_VERSION_ID >= 70000) {
69+
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized, array('allowed_classes' => false));
70+
} else {
71+
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized);
72+
}
6973
}
7074

7175
/**

src/Symfony/Component/Form/FormError.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,10 @@ public function serialize()
185185
*/
186186
public function unserialize($serialized)
187187
{
188-
list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized);
188+
if (PHP_VERSION_ID >= 70000) {
189+
list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized, array('allowed_classes' => false));
190+
} else {
191+
list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized);
192+
}
189193
}
190194
}

src/Symfony/Component/HttpKernel/Config/EnvParametersResource.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,11 @@ public function serialize()
7272

7373
public function unserialize($serialized)
7474
{
75-
$unserialized = unserialize($serialized);
75+
if (PHP_VERSION_ID >= 70000) {
76+
$unserialized = unserialize($serialized, array('allowed_classes' => false));
77+
} else {
78+
$unserialized = unserialize($serialized);
79+
}
7680

7781
$this->prefix = $unserialized['prefix'];
7882
$this->variables = $unserialized['variables'];

src/Symfony/Component/HttpKernel/Debug/FileLinkFormatter.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,11 @@ public function serialize()
6363

6464
public function unserialize($serialized)
6565
{
66-
$this->fileLinkFormat = unserialize($serialized);
66+
if (PHP_VERSION_ID >= 70000) {
67+
$this->fileLinkFormat = unserialize($serialized, array('allowed_classes' => false));
68+
} else {
69+
$this->fileLinkFormat = unserialize($serialized);
70+
}
6771
}
6872

6973
private function getFileLinkFormat()

src/Symfony/Component/HttpKernel/Kernel.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -763,7 +763,11 @@ public function serialize()
763763

764764
public function unserialize($data)
765765
{
766-
list($environment, $debug) = unserialize($data);
766+
if (PHP_VERSION_ID >= 70000) {
767+
list($environment, $debug) = unserialize($data, array('allowed_classes' => false));
768+
} else {
769+
list($environment, $debug) = unserialize($data);
770+
}
767771

768772
$this->__construct($environment, $debug);
769773
}

src/Symfony/Component/Routing/CompiledRoute.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,12 @@ public function serialize()
7373
*/
7474
public function unserialize($serialized)
7575
{
76-
$data = unserialize($serialized);
76+
if (PHP_VERSION_ID >= 70000) {
77+
$data = unserialize($serialized, array('allowed_classes' => false));
78+
} else {
79+
$data = unserialize($serialized);
80+
}
81+
7782
$this->variables = $data['vars'];
7883
$this->staticPrefix = $data['path_prefix'];
7984
$this->regex = $data['path_regex'];

src/Symfony/Component/Routing/Route.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,11 @@ public function serialize()
116116
*/
117117
public function unserialize($serialized)
118118
{
119-
$data = unserialize($serialized);
119+
if (PHP_VERSION_ID >= 70000) {
120+
$data = unserialize($serialized, array('allowed_classes' => array(CompiledRoute::class)));
121+
} else {
122+
$data = unserialize($serialized);
123+
}
120124
$this->path = $data['path'];
121125
$this->host = $data['host'];
122126
$this->defaults = $data['defaults'];

0 commit comments

Comments
 (0)
0