Dont allow unserializing classes with a destructor - 5.2

2020-12-15 11:45:32 +01:00 · 2020-12-15 11:45:32 +01:00 · 98601908bb
commit 98601908bb
parent 6caf916083
3 changed files with 24 additions and 0 deletions
--- a/src/Symfony/Component/HttpClient/Response/CommonResponseTrait.php
+++ b/src/Symfony/Component/HttpClient/Response/CommonResponseTrait.php
@ -127,6 +127,16 @@ trait CommonResponseTrait
        return $stream;
    }

+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
    /**
     * Closes the response and all its network handles.
     */
--- a/src/Symfony/Component/HttpClient/Response/TraceableResponse.php
+++ b/src/Symfony/Component/HttpClient/Response/TraceableResponse.php
@ -44,6 +44,16 @@ class TraceableResponse implements ResponseInterface, StreamableInterface
        $this->event = $event;
    }

+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
    public function __destruct()
    {
        try {
--- a/src/Symfony/Component/RateLimiter/Policy/TokenBucket.php
+++ b/src/Symfony/Component/RateLimiter/Policy/TokenBucket.php
@ -104,6 +104,10 @@ final class TokenBucket implements LimiterStateInterface
     */
    public function __wakeup(): void
    {
+        if (!\is_string($this->stringRate)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
+
        $this->rate = Rate::fromString($this->stringRate);
        unset($this->stringRate);
    }