security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas)

nicolas-grekas · nicolas-grekas · commit b224d4f012db · 2019-04-16T11:37:00.000+02:00
This PR was merged into the 3.4 branch. Discussion ---------- [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - Reported for `FilesystemCommonTrait` at https://www.intigriti.com/company/submission/CfDJ8Pja6NZvkpNCmx5vVyiGSn7yW8c1j4H0-cnAhIk6fbstOMm028X-XD1kmSuQkGB2n0cRyyVrA2yAiLN_I0EVilaKVLSiSa0UXZJGfN1h85vmk5c2dBBpu619r1YQEIjcXA Commits ------- 4fb9752 Prevent destructors with side-effects from being unserialized
diff --git a/src/Symfony/Bridge/PhpUnit/Legacy/CoverageListenerTrait.php b/src/Symfony/Bridge/PhpUnit/Legacy/CoverageListenerTrait.php
@@ -102,6 +102,16 @@ private function findSutFqcn($test)
         return $sutFqcn;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         if (!$this->warnings) {
diff --git a/src/Symfony/Bridge/PhpUnit/Legacy/SymfonyTestsListenerTrait.php b/src/Symfony/Bridge/PhpUnit/Legacy/SymfonyTestsListenerTrait.php
@@ -74,6 +74,16 @@ public function __construct(array $mockedNamespaces = [])
         }
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         if (0 < $this->state) {
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Kernel/ConcreteMicroKernel.php b/src/Symfony/Bundle/FrameworkBundle/Tests/Kernel/ConcreteMicroKernel.php
@@ -64,6 +64,16 @@ public function getLogDir()
         return $this->cacheDir;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $fs = new Filesystem();
diff --git a/src/Symfony/Component/Cache/Traits/FilesystemCommonTrait.php b/src/Symfony/Component/Cache/Traits/FilesystemCommonTrait.php
@@ -116,6 +116,16 @@ public static function throwError($type, $message, $file, $line)
         throw new \ErrorException($message, 0, $type, $file, $line);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         if (method_exists(parent::class, '__destruct')) {

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,16 @@ public function __construct(array $mockedNamespaces = [])`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ public function __sleep()`
	`78`	`+ {`
	`79`	`+ throw new \BadMethodCallException('Cannot serialize '.__CLASS__);`
	`80`	`+ }`
	`81`	`+`
	`82`	`+ public function __wakeup()`
	`83`	`+ {`
	`84`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`85`	`+ }`
	`86`	`+`
`77`	`87`	`public function __destruct()`
`78`	`88`	`{`
`79`	`89`	`if (0 < $this->state) {`