Skip to content

Instantly share code, notes, and snippets.

@nicolas-grekas

nicolas-grekas/unserializing.diff

Created September 20, 2022 17:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nicolas-grekas/5dd3169f94ed3b4576152605330824fe to your computer and use it in GitHub Desktop.
Save nicolas-grekas/5dd3169f94ed3b4576152605330824fe to your computer and use it in GitHub Desktop.
Download ZIP
Places where unserialize() is try/catched in Symfony 6.2
Raw
unserializing.diff
diff --git a/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php b/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php
index 003680a5c0..e6b0265a45 100644
--- a/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php
+++ b/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php
@@ -95,21 +95,21 @@ class Deprecation
break;
}
}
if (!isset($line['object']) && !isset($line['class'])) {
return;
}
set_error_handler(function () {});
try {
- $parsedMsg = unserialize($this->message);
+ $parsedMsg = unserialize($this->message);//XXX
} finally {
restore_error_handler();
}
if ($parsedMsg && isset($parsedMsg['deprecation'])) {
$this->message = $parsedMsg['deprecation'];
$this->originClass = $parsedMsg['class'];
$this->originMethod = $parsedMsg['method'];
if (isset($parsedMsg['files_stack'])) {
$this->originalFilesStack = $parsedMsg['files_stack'];
}
diff --git a/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php b/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php
index 2ff499d30c..ce85450adb 100644
--- a/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php
+++ b/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php
@@ -325,21 +325,21 @@ class ArrayAdapter implements AdapterInterface, CacheInterface, LoggerAwareInter
return $value;
}
private function unfreeze(string $key, bool &$isHit)
{
if ('N;' === $value = $this->values[$key]) {
return null;
}
if (\is_string($value) && isset($value[2]) && ':' === $value[1]) {
try {
- $value = unserialize($value);
+ $value = unserialize($value);//XXX
} catch (\Exception $e) {
CacheItem::log($this->logger, 'Failed to unserialize key "{key}": '.$e->getMessage(), ['key' => $key, 'exception' => $e, 'cache-adapter' => get_debug_type($this)]);
$value = false;
}
if (false === $value) {
$value = null;
$isHit = false;
if (!$this->maxItems) {
$this->values[$key] = null;
diff --git a/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php b/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php
index e11607b3da..b02b01cf15 100644
--- a/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php
+++ b/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php
@@ -64,21 +64,21 @@ class DefaultMarshaller implements MarshallerInterface
if ('N;' === $value) {
return null;
}
static $igbinaryNull;
if ($value === $igbinaryNull ??= \extension_loaded('igbinary') ? igbinary_serialize(null) : false) {
return null;
}
$unserializeCallbackHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
try {
if (':' === ($value[1] ?? ':')) {
- if (false !== $value = unserialize($value)) {
+ if (false !== $value = unserialize($value)) {//XXX
return $value;
}
} elseif (false === $igbinaryNull) {
throw new \RuntimeException('Failed to unserialize values, did you forget to install the "igbinary" extension?');
} elseif (null !== $value = igbinary_unserialize($value)) {
return $value;
}
throw new \DomainException(error_get_last() ? error_get_last()['message'] : 'Failed to unserialize values.');
} catch (\Error $e) {
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
index 3b7d66c6cd..0a178d977f 100644
--- a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -257,21 +257,21 @@ class ContextListener extends AbstractListener
$prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
$prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = []) use (&$prevErrorHandler) {
if (__FILE__ === $file) {
throw new \ErrorException($msg, 0x37313BC, $type, $file, $line);
}
return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
});
try {
- $token = unserialize($serializedToken);
+ $token = unserialize($serializedToken);//XXX
} catch (\ErrorException $e) {
if (0x37313BC !== $e->getCode()) {
throw $e;
}
$this->logger?->warning('Failed to unserialize the security token from the session.', ['key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e]);
} finally {
restore_error_handler();
ini_set('unserialize_callback_func', $prevUnserializeHandler);
}
diff --git a/src/Symfony/Component/VarDumper/Server/DumpServer.php b/src/Symfony/Component/VarDumper/Server/DumpServer.php
index 8df05a150a..411bf9969c 100644
--- a/src/Symfony/Component/VarDumper/Server/DumpServer.php
+++ b/src/Symfony/Component/VarDumper/Server/DumpServer.php
@@ -51,21 +51,21 @@ class DumpServer
public function listen(callable $callback): void
{
if (null === $this->socket) {
$this->start();
}
foreach ($this->getMessages() as $clientId => $message) {
$this->logger?->info('Received a payload from client {clientId}', ['clientId' => $clientId]);
- $payload = @unserialize(base64_decode($message), ['allowed_classes' => [Data::class, Stub::class]]);
+ $payload = @unserialize(base64_decode($message), ['allowed_classes' => [Data::class, Stub::class]]);//XXX
// Impossible to decode the message, give up.
if (false === $payload) {
$this->logger?->warning('Unable to decode a message from {clientId} client.', ['clientId' => $clientId]);
continue;
}
if (!\is_array($payload) || \count($payload) < 2 || !$payload[0] instanceof Data || !\is_array($payload[1])) {
$this->logger?->warning('Invalid payload from {clientId} client. Expected an array of two elements (Data $data, array $context)', ['clientId' => $clientId]);
diff --git a/src/Symfony/Component/VarExporter/Internal/Registry.php b/src/Symfony/Component/VarExporter/Internal/Registry.php
index 09d2de2a05..806f3891af 100644
--- a/src/Symfony/Component/VarExporter/Internal/Registry.php
+++ b/src/Symfony/Component/VarExporter/Internal/Registry.php
@@ -33,21 +33,21 @@ class Registry
{
$this->classes = $classes;
}
public static function unserialize($objects, $serializables)
{
$unserializeCallback = ini_set('unserialize_callback_func', __CLASS__.'::getClassReflector');
try {
foreach ($serializables as $k => $v) {
- $objects[$k] = unserialize($v);
+ $objects[$k] = unserialize($v);//XXX
}
} finally {
ini_set('unserialize_callback_func', $unserializeCallback);
}
return $objects;
}
public static function p($class)
{
@@ -84,21 +84,21 @@ class Registry
} else {
try {
$proto = $reflector->newInstanceWithoutConstructor();
$instantiableWithoutConstructor = true;
} catch (\ReflectionException) {
$proto = $reflector->implementsInterface('Serializable') && !method_exists($class, '__unserialize') ? 'C:' : 'O:';
if ('C:' === $proto && !$reflector->getMethod('unserialize')->isInternal()) {
$proto = null;
} else {
try {
- $proto = @unserialize($proto.\strlen($class).':"'.$class.'":0:{}');
+ $proto = @unserialize($proto.\strlen($class).':"'.$class.'":0:{}');//XXX
} catch (\Exception $e) {
if (__FILE__ !== $e->getFile()) {
throw $e;
}
throw new NotInstantiableTypeException($class, $e);
}
if (false === $proto) {
throw new NotInstantiableTypeException($class);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment