Merge branch '4.4' into 5.2

* 4.4: [Serializer] Prevent access to private properties without getters
2021-01-27 19:13:05 +01:00 · 2021-01-27 19:13:05 +01:00 · bdf3589918
commit bdf3589918
parent 6a935bb977 8533ea223e
3 changed files with 39 additions and 4 deletions
--- a/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php
+++ b/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php
@ -111,8 +111,9 @@ class ObjectNormalizer extends AbstractObjectNormalizer

        // properties
        foreach ($reflClass->getProperties() as $reflProperty) {
+            $isPublic = $reflProperty->isPublic();
+
            if ($checkPropertyInitialization) {
-                $isPublic = $reflProperty->isPublic();
                if (!$isPublic) {
                    $reflProperty->setAccessible(true);
                }
@ -120,9 +121,10 @@ class ObjectNormalizer extends AbstractObjectNormalizer
                    unset($attributes[$reflProperty->name]);
                    continue;
                }
-                if (!$isPublic) {
-                    continue;
-                }
+            }
+
+            if (!$isPublic) {
+                continue;
            }

            if ($reflProperty->isStatic() || !$this->isAllowedAttribute($object, $reflProperty->name, $format, $context)) {
--- a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php
+++ b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyPrivatePropertyWithoutGetter.php
@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+final class DummyPrivatePropertyWithoutGetter
+{
+    private $foo = 'foo';
+    private $bar = 'bar';
+
+    public function getBar()
+    {
+        return $this->bar;
+    }
+}
--- a/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
+++ b/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
@ -33,6 +33,7 @@ use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Serializer\SerializerInterface;
 use Symfony\Component\Serializer\Tests\Fixtures\Annotations\GroupDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\CircularReferenceDummy;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyPrivatePropertyWithoutGetter;
 use Symfony\Component\Serializer\Tests\Fixtures\OtherSerializedNameDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\Php74Dummy;
 use Symfony\Component\Serializer\Tests\Fixtures\Php74DummyPrivate;
@ -140,6 +141,15 @@ class ObjectNormalizerTest extends TestCase
        );
    }

+    public function testNormalizeObjectWithPrivatePropertyWithoutGetter()
+    {
+        $obj = new DummyPrivatePropertyWithoutGetter();
+        $this->assertEquals(
+            ['bar' => 'bar'],
+            $this->normalizer->normalize($obj, 'any')
+        );
+    }
+
    public function testDenormalize()
    {
        $obj = $this->normalizer->denormalize(