security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas)

This PR was merged into the 4.2 branch.
2019-11-12 14:00:14 +01:00 · 2019-11-12 14:00:14 +01:00 · 5098b66336
parent 9067fdc950 8817d28fca
commit 5098b66336
2 changed files with 20 additions and 0 deletions
--- a/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php
+++ b/src/Symfony/Component/Cache/Adapter/AbstractAdapter.php
@ -277,6 +277,16 @@ abstract class AbstractAdapter implements AdapterInterface, CacheInterface, Logg
        return $ok;
    }

+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
    public function __destruct()
    {
        if ($this->deferred) {
--- a/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php
+++ b/src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php
@ -277,6 +277,16 @@ class TagAwareAdapter implements TagAwareAdapterInterface, TagAwareCacheInterfac
        return $this->invalidateTags([]);
    }

+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
    public function __destruct()
    {
        $this->commit();