From 782f996df002e4fbdf4e47cea53306b9d095dcd5 Mon Sep 17 00:00:00 2001 From: rfaivre Date: Mon, 18 May 2020 23:14:28 +0200 Subject: [PATCH] [Security] Unserialize $parentData, if needed, to be sure the parentData variable is an array Add check on every __unserialize() function --- .../Security/Core/Authentication/Token/AnonymousToken.php | 1 + .../Security/Core/Authentication/Token/PreAuthenticatedToken.php | 1 + .../Security/Core/Authentication/Token/RememberMeToken.php | 1 + .../Security/Core/Authentication/Token/SwitchUserToken.php | 1 + .../Component/Security/Core/Exception/AccountStatusException.php | 1 + .../Core/Exception/CustomUserMessageAuthenticationException.php | 1 + .../Security/Core/Exception/UsernameNotFoundException.php | 1 + .../Security/Guard/Token/PostAuthenticationGuardToken.php | 1 + 8 files changed, 8 insertions(+) diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php index 8c658060ad4a5..db94766d3f166 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php @@ -68,6 +68,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$this->secret, $parentData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } } diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php index eb20f7fe6bbde..1acd005874b79 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php @@ -88,6 +88,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$this->credentials, $this->providerKey, $parentData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } } diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php index 403e3ae8803d1..13d3314534a23 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php @@ -101,6 +101,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$this->secret, $this->providerKey, $parentData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } } diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php index 4177cee658f69..4390d68a6e5cd 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php @@ -54,6 +54,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$this->originalToken, $parentData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } } diff --git a/src/Symfony/Component/Security/Core/Exception/AccountStatusException.php b/src/Symfony/Component/Security/Core/Exception/AccountStatusException.php index f3fa661c31f4e..1b4e818a1157b 100644 --- a/src/Symfony/Component/Security/Core/Exception/AccountStatusException.php +++ b/src/Symfony/Component/Security/Core/Exception/AccountStatusException.php @@ -53,6 +53,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$this->user, $parentData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } } diff --git a/src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php b/src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php index 203e8ba133dab..879012c65f613 100644 --- a/src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php +++ b/src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php @@ -69,6 +69,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$parentData, $this->messageKey, $this->messageData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } } diff --git a/src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php b/src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php index 31dd486eec12d..10c78b2056aed 100644 --- a/src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php +++ b/src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php @@ -71,6 +71,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$this->username, $parentData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } } diff --git a/src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php b/src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php index 1c58199c5b0f4..511f455531ec6 100644 --- a/src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php +++ b/src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php @@ -83,6 +83,7 @@ public function __serialize(): array public function __unserialize(array $data): void { [$this->providerKey, $parentData] = $data; + $parentData = \is_array($parentData) ? $parentData : unserialize($parentData); parent::__unserialize($parentData); } }