minor #40546 Security Hardening - unserialize DumpDataCollector (jderusse)

This PR was merged into the 4.4 branch. Discussion ---------- Security Hardening - unserialize DumpDataCollector | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Commits ------- 214dbfec51 Hardening Security - Unserialize DumpDataCollector
2021-03-23 09:51:46 +01:00 · 2021-03-23 09:51:46 +01:00 · f84adc46f3
commit f84adc46f3
parent 602b52041a 214dbfec51
1 changed files with 6 additions and 1 deletions
--- a/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php
+++ b/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php
@ -183,6 +183,11 @@ class DumpDataCollector extends DataCollector implements DataDumperInterface
        $charset = array_pop($this->data);
        $fileLinkFormat = array_pop($this->data);
        $this->dataCount = \count($this->data);
+        foreach ($this->data as $dump) {
+            if (!\is_string($dump['name']) || !\is_string($dump['file']) || !\is_int($dump['line'])) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
+        }

        self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
    }
@ -257,7 +262,7 @@ class DumpDataCollector extends DataCollector implements DataDumperInterface
        }
    }

-    private function doDump(DataDumperInterface $dumper, $data, string $name, string $file, int $line)
+    private function doDump(DataDumperInterface $dumper, Data $data, string $name, string $file, int $line)
    {
        if ($dumper instanceof CliDumper) {
            $contextDumper = function ($name, $file, $line, $fmt) {