bug #62 Dont allow unserializing classes with a destructor - security-acl (jderusse)

fabpot · fabpot · commit 2c1b1b68d8ff · 2021-01-12T10:10:27.000+01:00
This PR was merged into the 3.0-dev branch. Discussion ---------- Dont allow unserializing classes with a destructor - security-acl Prevent destructors with side-effects from being unserialized Commits ------- 28638eb Dont allow unserializing classes with a destructor - security-acl
diff --git a/Domain/FieldEntry.php b/Domain/FieldEntry.php
@@ -67,6 +67,9 @@ public function serialize()
     public function unserialize($serialized)
     {
         list($this->field, $parentStr) = unserialize($serialized);
+        if (!\is_string($parentStr)) {
+            throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+        }
         parent::unserialize($parentStr);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,9 @@ public function serialize()`
`67`	`67`	`public function unserialize($serialized)`
`68`	`68`	`{`
`69`	`69`	`list($this->field, $parentStr) = unserialize($serialized);`
	`70`	`+ if (!\is_string($parentStr)) {`
	`71`	`+ throw new \BadMethodCallException('Cannot serialize '.__CLASS__);`
	`72`	`+ }`
`70`	`73`	`parent::unserialize($parentStr);`
`71`	`74`	`}`
`72`	`75`	`}`