bug #25340 [Serializer] Unset attributes when creating child context (dunglas)

fabpot · fabpot · commit d7cb006c1106 · 2017-12-07T11:55:50.000-08:00
This PR was merged into the 3.3 branch. Discussion ---------- [Serializer] Unset attributes when creating child context | Q | A | ------------- | --- | Branch? | 3.3 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | n/a In some cases, the `attributes` key isn't overrode when creating the context passed to nested normalizers. It's definitely a bug, but an attacker cannot access to non public data (ignored attributes are checked before the `attributes` key). However some data that must be public may be missing as highlighted by the test. I've introduced the initial bug here: #18834 Commits ------- 4ff9d99 [Serializer] Unset attributes when creating child context
diff --git a/src/Symfony/Component/Serializer/Normalizer/AbstractNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/AbstractNormalizer.php
@@ -402,6 +402,8 @@ protected function createChildContext(array $parentContext, $attribute)
     {
         if (isset($parentContext[self::ATTRIBUTES][$attribute])) {
             $parentContext[self::ATTRIBUTES] = $parentContext[self::ATTRIBUTES][$attribute];
+        } else {
+            unset($parentContext[self::ATTRIBUTES]);
         }
 
         return $parentContext;
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
@@ -673,6 +673,16 @@ public function testAttributesContextNormalize()
             ),
             $serializer->normalize($objectDummy, null, $context)
         );
+
+        $context = array('attributes' => array('foo', 'baz', 'object'));
+        $this->assertEquals(
+            array(
+                'foo' => 'foo',
+                'baz' => true,
+                'object' => array('foo' => 'innerFoo', 'bar' => 'innerBar'),
+            ),
+            $serializer->normalize($objectDummy, null, $context)
+        );
     }
 
     public function testAttributesContextDenormalize()

Original file line number	Diff line number	Diff line change
`@@ -402,6 +402,8 @@ protected function createChildContext(array $parentContext, $attribute)`
`402`	`402`	`{`
`403`	`403`	`if (isset($parentContext[self::ATTRIBUTES][$attribute])) {`
`404`	`404`	`$parentContext[self::ATTRIBUTES] = $parentContext[self::ATTRIBUTES][$attribute];`
	`405`	`+ } else {`
	`406`	`+ unset($parentContext[self::ATTRIBUTES]);`
`405`	`407`	`}`
`406`	`408`
`407`	`409`	`return $parentContext;`