diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #36862 [Security] Unserialize $parentData, if needed, to avoid errors (rfaivre) 

This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[Security] Unserialize $parentData, if needed, to avoid errors

Check that the $parentData is an array. If it's a string, the variable is unserialized.
Useful to not break the compatibility with the older versions.
Bug reproduced when upgrading from 3.4 to 4.4

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #36813
| License       | MIT
| Doc PR        | symfony/symfony-docs#... <!-- required for new features -->

Commits
-------

b447433b67 [Security] Unserialize $parentData, if needed, to avoid errors
This commit is contained in:
Nicolas Grekas 2020-05-18 23:38:47 +02:00
parent 87c6683a98 b447433b67
commit 638b200c24
9 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php
View File

@ -68,6 +68,7 @@ class AnonymousToken extends AbstractToken
public function __unserialize(array $data): void
{
[$this->secret, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

2
src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
View File

@ -26,7 +26,6 @@ class PreAuthenticatedToken extends AbstractToken
/**
* @param string|\Stringable|UserInterface $user
* @param mixed $credentials
* @param string $providerKey
* @param string[] $roles
*/
public function __construct($user, $credentials, string $providerKey, array $roles = [])
@ -88,6 +87,7 @@ class PreAuthenticatedToken extends AbstractToken
public function __unserialize(array $data): void
{
[$this->credentials, $this->providerKey, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

1
src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
View File

@ -101,6 +101,7 @@ class RememberMeToken extends AbstractToken
public function __unserialize(array $data): void
{
[$this->secret, $this->providerKey, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

1
src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php
View File

@ -54,6 +54,7 @@ class SwitchUserToken extends UsernamePasswordToken
public function __unserialize(array $data): void
{
[$this->originalToken, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

1
src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php
View File

@ -99,6 +99,7 @@ class UsernamePasswordToken extends AbstractToken
public function __unserialize(array $data): void
{
[$this->credentials, $this->providerKey, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

1
src/Symfony/Component/Security/Core/Exception/AccountStatusException.php
View File

@ -53,6 +53,7 @@ abstract class AccountStatusException extends AuthenticationException
public function __unserialize(array $data): void
{
[$this->user, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

1
src/Symfony/Component/Security/Core/Exception/CustomUserMessageAuthenticationException.php
View File

@ -69,6 +69,7 @@ class CustomUserMessageAuthenticationException extends AuthenticationException
public function __unserialize(array $data): void
{
[$parentData, $this->messageKey, $this->messageData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

1
src/Symfony/Component/Security/Core/Exception/UsernameNotFoundException.php
View File

@ -71,6 +71,7 @@ class UsernameNotFoundException extends AuthenticationException
public function __unserialize(array $data): void
{
[$this->username, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}

1
src/Symfony/Component/Security/Guard/Token/PostAuthenticationGuardToken.php
View File

@ -83,6 +83,7 @@ class PostAuthenticationGuardToken extends AbstractToken implements GuardTokenIn
public function __unserialize(array $data): void
{
[$this->providerKey, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
}