From f0cd2b2838baffcaec87de5750343ced209630f7 Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Thu, 13 Dec 2018 08:39:35 +0100
Subject: [PATCH] [VarExporter] dont call userland code with uninitialized
 objects

---
 .../VarExporter/Internal/Registry.php         | 10 ++-----
 .../Tests/Fixtures/foo-serializable.php       | 11 ++++++++
 .../VarExporter/Tests/VarExporterTest.php     | 27 +++++++++++++++++++
 3 files changed, 40 insertions(+), 8 deletions(-)
 create mode 100644 src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php

diff --git a/src/Symfony/Component/VarExporter/Internal/Registry.php b/src/Symfony/Component/VarExporter/Internal/Registry.php
index 487a8566e2..705722650a 100644
--- a/src/Symfony/Component/VarExporter/Internal/Registry.php
+++ b/src/Symfony/Component/VarExporter/Internal/Registry.php
@@ -93,15 +93,9 @@ class Registry
                     throw new NotInstantiableTypeException($class);
                 }
             }
-            if (null !== $proto && !$proto instanceof \Throwable) {
+            if (null !== $proto && !$proto instanceof \Throwable && !$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {
                 try {
-                    if (!$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {
-                        serialize($proto);
-                    } elseif ($instantiableWithoutConstructor) {
-                        serialize($reflector->newInstanceWithoutConstructor());
-                    } else {
-                        serialize(unserialize(($proto instanceof \Serializable ? 'C:' : 'O:').\strlen($class).':"'.$class.'":0:{}'));
-                    }
+                    serialize($proto);
                 } catch (\Exception $e) {
                     throw new NotInstantiableTypeException($class, $e);
                 }
diff --git a/src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php b/src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php
new file mode 100644
index 0000000000..fd4e267101
--- /dev/null
+++ b/src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php
@@ -0,0 +1,11 @@
+<?php
+
+return \Symfony\Component\VarExporter\Internal\Hydrator::hydrate(
+    $o = \Symfony\Component\VarExporter\Internal\Registry::unserialize([], [
+        'C:51:"Symfony\\Component\\VarExporter\\Tests\\FooSerializable":20:{a:1:{i:0;s:3:"bar";}}',
+    ]),
+    null,
+    [],
+    $o[0],
+    []
+);
diff --git a/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php b/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
index ea0b6a4585..2d6c32a52e 100644
--- a/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
+++ b/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
@@ -194,6 +194,8 @@ class VarExporterTest extends TestCase
         yield array('wakeup-refl', $value);
 
         yield array('abstract-parent', new ConcreteClass());
+
+        yield array('foo-serializable', new FooSerializable('bar'));
     }
 }
 
@@ -342,3 +344,28 @@ class ConcreteClass extends AbstractClass
         $this->setBar(234);
     }
 }
+
+class FooSerializable implements \Serializable
+{
+    private $foo;
+
+    public function __construct(string $foo)
+    {
+        $this->foo = $foo;
+    }
+
+    public function getFoo(): string
+    {
+        return $this->foo;
+    }
+
+    public function serialize(): string
+    {
+        return serialize(array($this->getFoo()));
+    }
+
+    public function unserialize($str)
+    {
+        list($this->foo) = unserialize($str);
+    }
+}