[VarExporter] dont call userland code with uninitialized objects

nicolas-grekas · nicolas-grekas · commit f0cd2b2838ba · 2018-12-13T08:48:06.000+01:00
diff --git a/src/Symfony/Component/VarExporter/Internal/Registry.php b/src/Symfony/Component/VarExporter/Internal/Registry.php
@@ -93,15 +93,9 @@ public static function getClassReflector($class, $instantiableWithoutConstructor
                     throw new NotInstantiableTypeException($class);
                 }
             }
-            if (null !== $proto && !$proto instanceof \Throwable) {
+            if (null !== $proto && !$proto instanceof \Throwable && !$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {
                 try {
-                    if (!$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {
-                        serialize($proto);
-                    } elseif ($instantiableWithoutConstructor) {
-                        serialize($reflector->newInstanceWithoutConstructor());
-                    } else {
-                        serialize(unserialize(($proto instanceof \Serializable ? 'C:' : 'O:').\strlen($class).':"'.$class.'":0:{}'));
-                    }
+                    serialize($proto);
                 } catch (\Exception $e) {
                     throw new NotInstantiableTypeException($class, $e);
                 }
diff --git a/src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php b/src/Symfony/Component/VarExporter/Tests/Fixtures/foo-serializable.php
@@ -0,0 +1,11 @@
+<?php
+
+return \Symfony\Component\VarExporter\Internal\Hydrator::hydrate(
+    $o = \Symfony\Component\VarExporter\Internal\Registry::unserialize([], [
+        'C:51:"Symfony\\Component\\VarExporter\\Tests\\FooSerializable":20:{a:1:{i:0;s:3:"bar";}}',
+    ]),
+    null,
+    [],
+    $o[0],
+    []
+);
diff --git a/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php b/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
@@ -194,6 +194,8 @@ public function provideExport()
         yield array('wakeup-refl', $value);
 
         yield array('abstract-parent', new ConcreteClass());
+
+        yield array('foo-serializable', new FooSerializable('bar'));
     }
 }
 
@@ -342,3 +344,28 @@ public function __construct()
         $this->setBar(234);
     }
 }
+
+class FooSerializable implements \Serializable
+{
+    private $foo;
+
+    public function __construct(string $foo)
+    {
+        $this->foo = $foo;
+    }
+
+    public function getFoo(): string
+    {
+        return $this->foo;
+    }
+
+    public function serialize(): string
+    {
+        return serialize(array($this->getFoo()));
+    }
+
+    public function unserialize($str)
+    {
+        list($this->foo) = unserialize($str);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -93,15 +93,9 @@ public static function getClassReflector($class, $instantiableWithoutConstructor`
`93`	`93`	`throw new NotInstantiableTypeException($class);`
`94`	`94`	`}`
`95`	`95`	`}`
`96`		`- if (null !== $proto && !$proto instanceof \Throwable) {`
	`96`	`+ if (null !== $proto && !$proto instanceof \Throwable && !$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {`
`97`	`97`	`try {`
`98`		`- if (!$proto instanceof \Serializable && !\method_exists($class, '__sleep')) {`
`99`		`- serialize($proto);`
`100`		`- } elseif ($instantiableWithoutConstructor) {`
`101`		`- serialize($reflector->newInstanceWithoutConstructor());`
`102`		`- } else {`
`103`		`- serialize(unserialize(($proto instanceof \Serializable ? 'C:' : 'O:').\strlen($class).':"'.$class.'":0:{}'));`
`104`		`- }`
	`98`	`+ serialize($proto);`
`105`	`99`	`} catch (\Exception $e) {`
`106`	`100`	`throw new NotInstantiableTypeException($class, $e);`
`107`	`101`	`}`