Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Unserialize $parentData, if needed, to avoid errors #36862

Merged
merged 1 commit into from May 18, 2020
Merged

[Security] Unserialize $parentData, if needed, to avoid errors #36862

merged 1 commit into from May 18, 2020

Conversation

rfaivre
Copy link
Contributor

@rfaivre rfaivre commented May 18, 2020

Check that the $parentData is an array. If it's a string, the variable is unserialized.
Useful to not break the compatibility with the older versions.
Bug reproduced when upgrading from 3.4 to 4.4

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #36813
License MIT
Doc PR symfony/symfony-docs#...

@nicolas-grekas nicolas-grekas added this to the 4.4 milestone May 18, 2020
@nicolas-grekas
Copy link
Member

Should we need the same for these?

$ grep 'parent::__unserialize' * -r
Core/Tests/Authentication/Token/AbstractTokenTest.php:        parent::__unserialize($parentState);
Core/Tests/Exception/CustomUserMessageAuthenticationExceptionTest.php:        parent::__unserialize($parentData);
Core/Authentication/Token/AbstractToken.php:     *         parent::__unserialize($parentData);
Core/Authentication/Token/SwitchUserToken.php:        parent::__unserialize($parentData);
Core/Authentication/Token/PreAuthenticatedToken.php:        parent::__unserialize($parentData);
Core/Authentication/Token/RememberMeToken.php:        parent::__unserialize($parentData);
Core/Authentication/Token/UsernamePasswordToken.php:        parent::__unserialize($parentData);
Core/Authentication/Token/AnonymousToken.php:        parent::__unserialize($parentData);
Core/Exception/UsernameNotFoundException.php:        parent::__unserialize($parentData);
Core/Exception/AccountStatusException.php:        parent::__unserialize($parentData);
Core/Exception/AuthenticationException.php:     *         parent::__unserialize($parentData);
Core/Exception/CustomUserMessageAuthenticationException.php:        parent::__unserialize($parentData);
Core/Exception/CustomUserMessageAccountStatusException.php:        parent::__unserialize($parentData);
Guard/Token/PostAuthenticationGuardToken.php:        parent::__unserialize($parentData);
Http/Authenticator/Token/PostAuthenticationToken.php:        parent::__unserialize($parentData);

@wouterj
Copy link
Member

wouterj commented May 18, 2020
edited

Should we need the same for these?

Except for the ones ending with Test, I think we should (and the last one, or do we want to have compatibility from 3.4 to 5.1?)

@rfaivre
Copy link
Contributor Author

rfaivre commented May 18, 2020

I did the changes except for Test classes

@nicolas-grekas
Copy link
Member

Thank you @rfaivre.

@nicolas-grekas nicolas-grekas merged commit 638b200 into symfony:4.4 May 18, 2020
This was referenced May 26, 2020
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@rfaivre @nicolas-grekas @wouterj @carsonbot