Dont allow unserializing classes with a destructor

jderusse · jderusse · commit 9579bea317a2 · 2021-01-12T13:42:25.000+01:00
diff --git a/DataCollector/DataCollector.php b/DataCollector/DataCollector.php
@@ -123,6 +123,10 @@ public function __sleep()
     public function __wakeup()
     {
         if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'unserialize'))->getDeclaringClass()->name) {
+            if (\is_object($this->data)) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
+
             @trigger_error(sprintf('Implementing the "%s::unserialize()" method is deprecated since Symfony 4.3, store all the serialized state in the "data" property instead.', $c), \E_USER_DEPRECATED);
             $this->unserialize($this->data);
         }
diff --git a/DataCollector/DumpDataCollector.php b/DataCollector/DumpDataCollector.php
@@ -184,7 +184,7 @@ public function __wakeup()
         $fileLinkFormat = array_pop($this->data);
         $this->dataCount = \count($this->data);
 
-        self::__construct($this->stopwatch, $fileLinkFormat, $charset);
+        self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
     }
 
     public function getDumpsCount()
diff --git a/Kernel.php b/Kernel.php
@@ -920,6 +920,10 @@ public function __sleep()
 
     public function __wakeup()
     {
+        if (\is_object($this->environment) || \is_object($this->debug)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
+
         if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'serialize'))->getDeclaringClass()->name) {
             @trigger_error(sprintf('Implementing the "%s::serialize()" method is deprecated since Symfony 4.3.', $c), \E_USER_DEPRECATED);
             $this->unserialize($this->serialized);

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,10 @@ public function __sleep()`
`123`	`123`	`public function __wakeup()`
`124`	`124`	`{`
`125`	`125`	`if (__CLASS__ !== $c = (new \ReflectionMethod($this, 'unserialize'))->getDeclaringClass()->name) {`
	`126`	`+ if (\is_object($this->data)) {`
	`127`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`128`	`+ }`
	`129`	`+`
`126`	`130`	`@trigger_error(sprintf('Implementing the "%s::unserialize()" method is deprecated since Symfony 4.3, store all the serialized state in the "data" property instead.', $c), \E_USER_DEPRECATED);`
`127`	`131`	`$this->unserialize($this->data);`
`128`	`132`	`}`
Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ public function __wakeup()`
`184`	`184`	`$fileLinkFormat = array_pop($this->data);`
`185`	`185`	`$this->dataCount = \count($this->data);`
`186`	`186`
`187`		`- self::__construct($this->stopwatch, $fileLinkFormat, $charset);`
	`187`	`+ self::__construct($this->stopwatch, \is_string($fileLinkFormat) \|\| $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);`
`188`	`188`	`}`
`189`	`189`
`190`	`190`	`public function getDumpsCount()`