Argument 1 passed to AbstractToken::__unserialize() must be of type array, string given #36813

rfaivre · 2020-05-13T20:58:04Z

Symfony version(s) affected: 4.4.8
php version 7.2

Description
After upgrading from Symfony 3.4 to Symfony 4.4.8, I have a problem during the authentication process.
When the token is retrieved from the session and try to be unserialized, I have this error:

Argument 1 passed to Symfony\\Component\\Security\\Core\\Authentication\\Token\\AbstractToken::__unserialize() must be of the type array, string given, called in /data/vendor/symfony/security-core/Authentication/Token/UsernamePasswordToken.php on line 103 at /data/vendor/symfony/security-core/Authentication/Token/AbstractToken.php:200)"}

In this function of the UsernamePasswordToken.php file:

    /**
     * {@inheritdoc}
     */
    public function __unserialize(array $data): void
    {
        [$this->credentials, $this->providerKey, $parentData] = $data;
        parent::__unserialize($parentData);
    }

$parentData is still serialized. Or, it should be an array. The declaration of __unserialize takes in an array.

Of course, after if I cleared my cookies, everything works well, but it's not the best solution.

How to reproduce
Do an authentication with Symfony 3.4.
Upgrade to Symfony 4.4.8 with the same PHP version (7.2)
Try authentication.

Does Anyone reproduce also this issue?
Some help is appreciated :)

The text was updated successfully, but these errors were encountered:

wouterj · 2020-05-13T21:06:40Z

Are you trying to use a token generated by a 3.4 application in the 4.4 application? (the $parentData variable was a string in 3.4) I believe this is an unsupported use-case (just like cache might break between minor versions).

rfaivre · 2020-05-14T06:19:58Z

Yes, the token was generated in 3.4 application and used in 4.4 app

Maybe another check before passing to __unserialize to ensure the $parentData is an array and not break the compatibility?

$parentData = \is_array($parentData) ? $parentData : unserialize($parentData)

nicolas-grekas · 2020-05-15T09:53:20Z

Did you try this on your app @rfaivre? Does it work?
If confirmed, you could maybe send a PR?

…rors (rfaivre) This PR was squashed before being merged into the 4.4 branch. Discussion ---------- [Security] Unserialize $parentData, if needed, to avoid errors Check that the $parentData is an array. If it's a string, the variable is unserialized. Useful to not break the compatibility with the older versions. Bug reproduced when upgrading from 3.4 to 4.4 | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36813 | License | MIT | Doc PR | symfony/symfony-docs#...  Commits ------- b447433 [Security] Unserialize $parentData, if needed, to avoid errors

rfaivre added the Bug label May 13, 2020

carsonbot added the Status: Needs Review label May 13, 2020

xabbuh added Security Status: Waiting feedback labels May 14, 2020

rfaivre mentioned this issue May 18, 2020

[Security] Unserialize $parentData, if needed, to avoid errors #36862

Merged

nicolas-grekas closed this as completed May 18, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Argument 1 passed to AbstractToken::__unserialize() must be of type array, string given #36813

Argument 1 passed to AbstractToken::__unserialize() must be of type array, string given #36813

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Argument 1 passed to AbstractToken::__unserialize() must be of type array, string given #36813

Argument 1 passed to AbstractToken::__unserialize() must be of type array, string given #36813

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!