033c41a6b9
This PR was merged into the 3.3-dev branch.
Discussion
----------
Secure unserialize by restricting allowed classes when using PHP 7
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ---
| License | MIT
| Doc PR | ---
While playing around with Symfony in a PHP 7.1 application I noticed a warning in how EnvParameterResoure uses unserialize. Since PHP 7.0 introduced the options argument which allows to restrict which classes can be unserialized for better security, it might make sense to use it here. As far as I can tell this is no BC break, it only provides an additional safety mechanism.
Commits
-------
b4201810b9
Conditionally add options to unserialize in PHP 7.0+.
83 lines
2.4 KiB
PHP
83 lines
2.4 KiB
PHP
<?php
|
|
|
|
/*
|
|
* This file is part of the Symfony package.
|
|
*
|
|
* (c) Fabien Potencier <fabien@symfony.com>
|
|
*
|
|
* For the full copyright and license information, please view the LICENSE
|
|
* file that was distributed with this source code.
|
|
*/
|
|
|
|
namespace Symfony\Component\DependencyInjection\Config;
|
|
|
|
@trigger_error('The '.__NAMESPACE__.'\AutowireServiceResource class is deprecated since version 3.3 and will be removed in 4.0. Use ContainerBuilder::getReflectionClass() instead.', E_USER_DEPRECATED);
|
|
|
|
use Symfony\Component\Config\Resource\SelfCheckingResourceInterface;
|
|
use Symfony\Component\DependencyInjection\Compiler\AutowirePass;
|
|
|
|
/**
|
|
* @deprecated since version 3.3, to be removed in 4.0. Use ContainerBuilder::getReflectionClass() instead.
|
|
*/
|
|
class AutowireServiceResource implements SelfCheckingResourceInterface, \Serializable
|
|
{
|
|
private $class;
|
|
private $filePath;
|
|
private $autowiringMetadata = array();
|
|
|
|
public function __construct($class, $path, array $autowiringMetadata)
|
|
{
|
|
$this->class = $class;
|
|
$this->filePath = $path;
|
|
$this->autowiringMetadata = $autowiringMetadata;
|
|
}
|
|
|
|
public function isFresh($timestamp)
|
|
{
|
|
if (!file_exists($this->filePath)) {
|
|
return false;
|
|
}
|
|
|
|
// has the file *not* been modified? Definitely fresh
|
|
if (@filemtime($this->filePath) <= $timestamp) {
|
|
return true;
|
|
}
|
|
|
|
try {
|
|
$reflectionClass = new \ReflectionClass($this->class);
|
|
} catch (\ReflectionException $e) {
|
|
// the class does not exist anymore!
|
|
return false;
|
|
}
|
|
|
|
return (array) $this === (array) AutowirePass::createResourceForClass($reflectionClass);
|
|
}
|
|
|
|
public function __toString()
|
|
{
|
|
return 'service.autowire.'.$this->class;
|
|
}
|
|
|
|
public function serialize()
|
|
{
|
|
return serialize(array($this->class, $this->filePath, $this->autowiringMetadata));
|
|
}
|
|
|
|
public function unserialize($serialized)
|
|
{
|
|
if (PHP_VERSION_ID >= 70000) {
|
|
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized, array('allowed_classes' => false));
|
|
} else {
|
|
list($this->class, $this->filePath, $this->autowiringMetadata) = unserialize($serialized);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @deprecated Implemented for compatibility with Symfony 2.8
|
|
*/
|
|
public function getResource()
|
|
{
|
|
return $this->filePath;
|
|
}
|
|
}
|