From f0409b403f2ea0a8290b417b2ae35dd0a330cec3 Mon Sep 17 00:00:00 2001
From: Julien Falque <julien.falque@gmail.com>
Date: Wed, 27 Jan 2021 17:40:30 +0100
Subject: [PATCH] [Serializer] Prevent access to private properties without
 getters

---
 .../Normalizer/ObjectNormalizer.php           | 10 ++++----
 .../DummyPrivatePropertyWithoutGetter.php     | 23 +++++++++++++++++++
 .../Tests/Normalizer/ObjectNormalizerTest.php | 10 ++++++++
 3 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php

diff --git a/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php
index 0e1a378fe6..a3bd07440b 100644
--- a/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php
+++ b/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php
@@ -107,8 +107,9 @@ class ObjectNormalizer extends AbstractObjectNormalizer
 
         // properties
         foreach ($reflClass->getProperties() as $reflProperty) {
+            $isPublic = $reflProperty->isPublic();
+
             if ($checkPropertyInitialization) {
-                $isPublic = $reflProperty->isPublic();
                 if (!$isPublic) {
                     $reflProperty->setAccessible(true);
                 }
@@ -116,9 +117,10 @@ class ObjectNormalizer extends AbstractObjectNormalizer
                     unset($attributes[$reflProperty->name]);
                     continue;
                 }
-                if (!$isPublic) {
-                    continue;
-                }
+            }
+
+            if (!$isPublic) {
+                continue;
             }
 
             if ($reflProperty->isStatic() || !$this->isAllowedAttribute($object, $reflProperty->name, $format, $context)) {
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php
new file mode 100644
index 0000000000..d20832131b
--- /dev/null
+++ b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php
@@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+final class DummyPrivatePropertyWithoutGetter
+{
+    private $foo = 'foo';
+    private $bar = 'bar';
+
+    public function getBar()
+    {
+        return $this->bar;
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
index 5c8c54d66c..4d145a5c8b 100644
--- a/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
+++ b/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
@@ -33,6 +33,7 @@ use Symfony\Component\Serializer\Normalizer\ObjectNormalizer;
 use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Serializer\SerializerInterface;
 use Symfony\Component\Serializer\Tests\Fixtures\CircularReferenceDummy;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyPrivatePropertyWithoutGetter;
 use Symfony\Component\Serializer\Tests\Fixtures\GroupDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\MaxDepthDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\OtherSerializedNameDummy;
@@ -143,6 +144,15 @@ class ObjectNormalizerTest extends TestCase
         );
     }
 
+    public function testNormalizeObjectWithPrivatePropertyWithoutGetter()
+    {
+        $obj = new DummyPrivatePropertyWithoutGetter();
+        $this->assertEquals(
+            ['bar' => 'bar'],
+            $this->normalizer->normalize($obj, 'any')
+        );
+    }
+
     public function testDenormalize()
     {
         $obj = $this->normalizer->denormalize(