[VarExporter] dont call userland code with uninitialized objects

2018-12-13 08:39:35 +01:00 · 2018-12-13 08:39:35 +01:00 · f0cd2b2838
commit f0cd2b2838
parent dcd0f2953d
3 changed files with 40 additions and 8 deletions
--- a/src/Symfony/Component/VarExporter/Internal/Registry.php
+++ b/src/Symfony/Component/VarExporter/Internal/Registry.php
@ -93,15 +93,9 @@ class Registry
                    throw new NotInstantiableTypeException($class);
                }
            }
-            if (null !== $proto && !$proto instanceof \Throwable) {
+            if (null !== $proto && !$proto instanceof \Throwable && !$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {
                try {
-                    if (!$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {
-                        serialize($proto);
-                    } elseif ($instantiableWithoutConstructor) {
-                        serialize($reflector->newInstanceWithoutConstructor());
-                    } else {
-                        serialize(unserialize(($proto instanceof \Serializable ? 'C:' : 'O:').\strlen($class).':"'.$class.'":0:{}'));
-                    }
+                    serialize($proto);
                } catch (\Exception $e) {
                    throw new NotInstantiableTypeException($class, $e);
                }
--- a/src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php
+++ b/src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php
@ -0,0 +1,11 @@
+<?php
+
+return \Symfony\Component\VarExporter\Internal\Hydrator::hydrate(
+    $o = \Symfony\Component\VarExporter\Internal\Registry::unserialize([], [
+        'C:51:"Symfony\\Component\\VarExporter\\Tests\\FooSerializable":20:{a:1:{i:0;s:3:"bar";}}',
+    ]),
+    null,
+    [],
+    $o[0],
+    []
+);
--- a/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
+++ b/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
@ -194,6 +194,8 @@ class VarExporterTest extends TestCase
        yield array('wakeup-refl', $value);

        yield array('abstract-parent', new ConcreteClass());
+
+        yield array('foo-serializable', new FooSerializable('bar'));
    }
 }

@ -342,3 +344,28 @@ class ConcreteClass extends AbstractClass
        $this->setBar(234);
    }
 }
+
+class FooSerializable implements \Serializable
+{
+    private $foo;
+
+    public function __construct(string $foo)
+    {
+        $this->foo = $foo;
+    }
+
+    public function getFoo(): string
+    {
+        return $this->foo;
+    }
+
+    public function serialize(): string
+    {
+        return serialize(array($this->getFoo()));
+    }
+
+    public function unserialize($str)
+    {
+        list($this->foo) = unserialize($str);
+    }
+}