Created
September 20, 2022 17:13
-
-
Save nicolas-grekas/5dd3169f94ed3b4576152605330824fe to your computer and use it in GitHub Desktop.
Places where unserialize() is try/catched in Symfony 6.2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php b/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php | |
index 003680a5c0..e6b0265a45 100644 | |
--- a/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php | |
+++ b/src/Symfony/Bridge/PhpUnit/DeprecationErrorHandler/Deprecation.php | |
@@ -95,21 +95,21 @@ class Deprecation | |
break; | |
} | |
} | |
if (!isset($line['object']) && !isset($line['class'])) { | |
return; | |
} | |
set_error_handler(function () {}); | |
try { | |
- $parsedMsg = unserialize($this->message); | |
+ $parsedMsg = unserialize($this->message);//XXX | |
} finally { | |
restore_error_handler(); | |
} | |
if ($parsedMsg && isset($parsedMsg['deprecation'])) { | |
$this->message = $parsedMsg['deprecation']; | |
$this->originClass = $parsedMsg['class']; | |
$this->originMethod = $parsedMsg['method']; | |
if (isset($parsedMsg['files_stack'])) { | |
$this->originalFilesStack = $parsedMsg['files_stack']; | |
} | |
diff --git a/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php b/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php | |
index 2ff499d30c..ce85450adb 100644 | |
--- a/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php | |
+++ b/src/Symfony/Component/Cache/Adapter/ArrayAdapter.php | |
@@ -325,21 +325,21 @@ class ArrayAdapter implements AdapterInterface, CacheInterface, LoggerAwareInter | |
return $value; | |
} | |
private function unfreeze(string $key, bool &$isHit) | |
{ | |
if ('N;' === $value = $this->values[$key]) { | |
return null; | |
} | |
if (\is_string($value) && isset($value[2]) && ':' === $value[1]) { | |
try { | |
- $value = unserialize($value); | |
+ $value = unserialize($value);//XXX | |
} catch (\Exception $e) { | |
CacheItem::log($this->logger, 'Failed to unserialize key "{key}": '.$e->getMessage(), ['key' => $key, 'exception' => $e, 'cache-adapter' => get_debug_type($this)]); | |
$value = false; | |
} | |
if (false === $value) { | |
$value = null; | |
$isHit = false; | |
if (!$this->maxItems) { | |
$this->values[$key] = null; | |
diff --git a/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php b/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php | |
index e11607b3da..b02b01cf15 100644 | |
--- a/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php | |
+++ b/src/Symfony/Component/Cache/Marshaller/DefaultMarshaller.php | |
@@ -64,21 +64,21 @@ class DefaultMarshaller implements MarshallerInterface | |
if ('N;' === $value) { | |
return null; | |
} | |
static $igbinaryNull; | |
if ($value === $igbinaryNull ??= \extension_loaded('igbinary') ? igbinary_serialize(null) : false) { | |
return null; | |
} | |
$unserializeCallbackHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback'); | |
try { | |
if (':' === ($value[1] ?? ':')) { | |
- if (false !== $value = unserialize($value)) { | |
+ if (false !== $value = unserialize($value)) {//XXX | |
return $value; | |
} | |
} elseif (false === $igbinaryNull) { | |
throw new \RuntimeException('Failed to unserialize values, did you forget to install the "igbinary" extension?'); | |
} elseif (null !== $value = igbinary_unserialize($value)) { | |
return $value; | |
} | |
throw new \DomainException(error_get_last() ? error_get_last()['message'] : 'Failed to unserialize values.'); | |
} catch (\Error $e) { | |
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php | |
index 3b7d66c6cd..0a178d977f 100644 | |
--- a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php | |
+++ b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php | |
@@ -257,21 +257,21 @@ class ContextListener extends AbstractListener | |
$prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback'); | |
$prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = []) use (&$prevErrorHandler) { | |
if (__FILE__ === $file) { | |
throw new \ErrorException($msg, 0x37313BC, $type, $file, $line); | |
} | |
return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false; | |
}); | |
try { | |
- $token = unserialize($serializedToken); | |
+ $token = unserialize($serializedToken);//XXX | |
} catch (\ErrorException $e) { | |
if (0x37313BC !== $e->getCode()) { | |
throw $e; | |
} | |
$this->logger?->warning('Failed to unserialize the security token from the session.', ['key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e]); | |
} finally { | |
restore_error_handler(); | |
ini_set('unserialize_callback_func', $prevUnserializeHandler); | |
} | |
diff --git a/src/Symfony/Component/VarDumper/Server/DumpServer.php b/src/Symfony/Component/VarDumper/Server/DumpServer.php | |
index 8df05a150a..411bf9969c 100644 | |
--- a/src/Symfony/Component/VarDumper/Server/DumpServer.php | |
+++ b/src/Symfony/Component/VarDumper/Server/DumpServer.php | |
@@ -51,21 +51,21 @@ class DumpServer | |
public function listen(callable $callback): void | |
{ | |
if (null === $this->socket) { | |
$this->start(); | |
} | |
foreach ($this->getMessages() as $clientId => $message) { | |
$this->logger?->info('Received a payload from client {clientId}', ['clientId' => $clientId]); | |
- $payload = @unserialize(base64_decode($message), ['allowed_classes' => [Data::class, Stub::class]]); | |
+ $payload = @unserialize(base64_decode($message), ['allowed_classes' => [Data::class, Stub::class]]);//XXX | |
// Impossible to decode the message, give up. | |
if (false === $payload) { | |
$this->logger?->warning('Unable to decode a message from {clientId} client.', ['clientId' => $clientId]); | |
continue; | |
} | |
if (!\is_array($payload) || \count($payload) < 2 || !$payload[0] instanceof Data || !\is_array($payload[1])) { | |
$this->logger?->warning('Invalid payload from {clientId} client. Expected an array of two elements (Data $data, array $context)', ['clientId' => $clientId]); | |
diff --git a/src/Symfony/Component/VarExporter/Internal/Registry.php b/src/Symfony/Component/VarExporter/Internal/Registry.php | |
index 09d2de2a05..806f3891af 100644 | |
--- a/src/Symfony/Component/VarExporter/Internal/Registry.php | |
+++ b/src/Symfony/Component/VarExporter/Internal/Registry.php | |
@@ -33,21 +33,21 @@ class Registry | |
{ | |
$this->classes = $classes; | |
} | |
public static function unserialize($objects, $serializables) | |
{ | |
$unserializeCallback = ini_set('unserialize_callback_func', __CLASS__.'::getClassReflector'); | |
try { | |
foreach ($serializables as $k => $v) { | |
- $objects[$k] = unserialize($v); | |
+ $objects[$k] = unserialize($v);//XXX | |
} | |
} finally { | |
ini_set('unserialize_callback_func', $unserializeCallback); | |
} | |
return $objects; | |
} | |
public static function p($class) | |
{ | |
@@ -84,21 +84,21 @@ class Registry | |
} else { | |
try { | |
$proto = $reflector->newInstanceWithoutConstructor(); | |
$instantiableWithoutConstructor = true; | |
} catch (\ReflectionException) { | |
$proto = $reflector->implementsInterface('Serializable') && !method_exists($class, '__unserialize') ? 'C:' : 'O:'; | |
if ('C:' === $proto && !$reflector->getMethod('unserialize')->isInternal()) { | |
$proto = null; | |
} else { | |
try { | |
- $proto = @unserialize($proto.\strlen($class).':"'.$class.'":0:{}'); | |
+ $proto = @unserialize($proto.\strlen($class).':"'.$class.'":0:{}');//XXX | |
} catch (\Exception $e) { | |
if (__FILE__ !== $e->getFile()) { | |
throw $e; | |
} | |
throw new NotInstantiableTypeException($class, $e); | |
} | |
if (false === $proto) { | |
throw new NotInstantiableTypeException($class); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment