minor #21090 Secure unserialize by restricting allowed classes when using PHP 7 (dbrumann)
This PR was merged into the 3.3-dev branch.
Discussion
----------
Secure unserialize by restricting allowed classes when using PHP 7
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ---
| License | MIT
| Doc PR | ---
While playing around with Symfony in a PHP 7.1 application I noticed a warning in how EnvParameterResoure uses unserialize. Since PHP 7.0 introduced the options argument which allows to restrict which classes can be unserialized for better security, it might make sense to use it here. As far as I can tell this is no BC break, it only provides an additional safety mechanism.
Commits
-------
b4201810b9
Conditionally add options to unserialize in PHP 7.0+.
This commit is contained in:
commit
033c41a6b9
@ -93,7 +93,11 @@ class TwigDataCollector extends DataCollector implements LateDataCollectorInterf
|
||||
public function getProfile()
|
||||
{
|
||||
if (null === $this->profile) {
|
||||
$this->profile = unserialize($this->data['profile']);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
$this->profile = unserialize($this->data['profile'], array('allowed_classes' => array('Twig_Profiler_Profile')));
|
||||
} else {
|
||||
$this->profile = unserialize($this->data['profile']);
|
||||
}
|
||||
}
|
||||
|
||||
return $this->profile;
|
||||
|
@ -65,7 +65,11 @@ class AutowireServiceResource implements SelfCheckingResourceInterface, \Seriali
|
||||
|
||||
public function unserialize($serialized)
|
||||
{
|
||||
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized, array('allowed_classes' => false));
|
||||
} else {
|
||||
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -185,6 +185,10 @@ class FormError implements \Serializable
|
||||
*/
|
||||
public function unserialize($serialized)
|
||||
{
|
||||
list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized, array('allowed_classes' => false));
|
||||
} else {
|
||||
list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -72,7 +72,11 @@ class EnvParametersResource implements SelfCheckingResourceInterface, \Serializa
|
||||
|
||||
public function unserialize($serialized)
|
||||
{
|
||||
$unserialized = unserialize($serialized);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
$unserialized = unserialize($serialized, array('allowed_classes' => false));
|
||||
} else {
|
||||
$unserialized = unserialize($serialized);
|
||||
}
|
||||
|
||||
$this->prefix = $unserialized['prefix'];
|
||||
$this->variables = $unserialized['variables'];
|
||||
|
@ -63,7 +63,11 @@ class FileLinkFormatter implements \Serializable
|
||||
|
||||
public function unserialize($serialized)
|
||||
{
|
||||
$this->fileLinkFormat = unserialize($serialized);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
$this->fileLinkFormat = unserialize($serialized, array('allowed_classes' => false));
|
||||
} else {
|
||||
$this->fileLinkFormat = unserialize($serialized);
|
||||
}
|
||||
}
|
||||
|
||||
private function getFileLinkFormat()
|
||||
|
@ -763,7 +763,11 @@ abstract class Kernel implements KernelInterface, TerminableInterface
|
||||
|
||||
public function unserialize($data)
|
||||
{
|
||||
list($environment, $debug) = unserialize($data);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
list($environment, $debug) = unserialize($data, array('allowed_classes' => false));
|
||||
} else {
|
||||
list($environment, $debug) = unserialize($data);
|
||||
}
|
||||
|
||||
$this->__construct($environment, $debug);
|
||||
}
|
||||
|
@ -73,7 +73,12 @@ class CompiledRoute implements \Serializable
|
||||
*/
|
||||
public function unserialize($serialized)
|
||||
{
|
||||
$data = unserialize($serialized);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
$data = unserialize($serialized, array('allowed_classes' => false));
|
||||
} else {
|
||||
$data = unserialize($serialized);
|
||||
}
|
||||
|
||||
$this->variables = $data['vars'];
|
||||
$this->staticPrefix = $data['path_prefix'];
|
||||
$this->regex = $data['path_regex'];
|
||||
|
@ -116,7 +116,11 @@ class Route implements \Serializable
|
||||
*/
|
||||
public function unserialize($serialized)
|
||||
{
|
||||
$data = unserialize($serialized);
|
||||
if (PHP_VERSION_ID >= 70000) {
|
||||
$data = unserialize($serialized, array('allowed_classes' => array(CompiledRoute::class)));
|
||||
} else {
|
||||
$data = unserialize($serialized);
|
||||
}
|
||||
$this->path = $data['path'];
|
||||
$this->host = $data['host'];
|
||||
$this->defaults = $data['defaults'];
|
||||
|
Reference in New Issue
Block a user