bug #36862 [Security] Unserialize $parentData, if needed, to avoid errors (rfaivre)
This PR was squashed before being merged into the 4.4 branch.
Discussion
----------
[Security] Unserialize $parentData, if needed, to avoid errors
Check that the $parentData is an array. If it's a string, the variable is unserialized.
Useful to not break the compatibility with the older versions.
Bug reproduced when upgrading from 3.4 to 4.4
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #36813
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Commits
-------
b447433b67
[Security] Unserialize $parentData, if needed, to avoid errors
This commit is contained in:
commit
638b200c24
|
@ -68,6 +68,7 @@ class AnonymousToken extends AbstractToken
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->secret, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -26,7 +26,6 @@ class PreAuthenticatedToken extends AbstractToken
|
|||
/**
|
||||
* @param string|\Stringable|UserInterface $user
|
||||
* @param mixed $credentials
|
||||
* @param string $providerKey
|
||||
* @param string[] $roles
|
||||
*/
|
||||
public function __construct($user, $credentials, string $providerKey, array $roles = [])
|
||||
|
@ -88,6 +87,7 @@ class PreAuthenticatedToken extends AbstractToken
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->credentials, $this->providerKey, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -101,6 +101,7 @@ class RememberMeToken extends AbstractToken
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->secret, $this->providerKey, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -54,6 +54,7 @@ class SwitchUserToken extends UsernamePasswordToken
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->originalToken, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -99,6 +99,7 @@ class UsernamePasswordToken extends AbstractToken
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->credentials, $this->providerKey, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -53,6 +53,7 @@ abstract class AccountStatusException extends AuthenticationException
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->user, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -69,6 +69,7 @@ class CustomUserMessageAuthenticationException extends AuthenticationException
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$parentData, $this->messageKey, $this->messageData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -71,6 +71,7 @@ class UsernameNotFoundException extends AuthenticationException
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->username, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -83,6 +83,7 @@ class PostAuthenticationGuardToken extends AbstractToken implements GuardTokenIn
|
|||
public function __unserialize(array $data): void
|
||||
{
|
||||
[$this->providerKey, $parentData] = $data;
|
||||
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
|
||||
parent::__unserialize($parentData);
|
||||
}
|
||||
}
|
||||
|
|
Reference in New Issue