[Security] Fail gracefully if the security token cannot be unserialized from the session

thewilkybarkid · nicolas-grekas · commit 219118a0ec26 · 2018-01-07T09:41:33.000+01:00
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -77,7 +77,7 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        $token = unserialize($token);
+        $token = $this->safelyUnserialize($token);
 
         if (null !== $this->logger) {
             $this->logger->debug('Read existing security token from the session.', array('key' => $this->sessionKey));
@@ -171,4 +171,36 @@ protected function refreshUser(TokenInterface $token)
 
         throw new \RuntimeException(sprintf('There is no user provider for user "%s".', get_class($user)));
     }
+
+    private function safelyUnserialize($serializedToken)
+    {
+        $eCode = 0x37313bc;
+        $e = $token = null;
+        $prevUnserializeHandler = ini_set('unserialize_callback_func', '');
+        $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = array()) use (&$prevErrorHandler, $eCode) {
+            if (E_WARNING === $type && ('Class __PHP_Incomplete_Class has no unserializer' === $msg || 0 === strpos($msg, 'unserialize(): '))) {
+                throw new \ErrorException($msg, $eCode, $type, $file, $line);
+            }
+
+            return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
+        });
+
+        try {
+            $token = unserialize($serializedToken);
+        } catch (\Error $e) {
+        } catch (\Exception $e) {
+        }
+        restore_error_handler();
+        ini_set('unserialize_callback_func', $prevUnserializeHandler);
+        if ($e) {
+            if (!$e instanceof \ErrorException || $eCode !== $e->getCode()) {
+                throw $e;
+            }
+            if ($logger) {
+                $this->logger->warning('Failed to unserialize the security token from the session.', array('key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e));
+            }
+        }
+
+        return $token;
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
@@ -169,6 +169,7 @@ public function testInvalidTokenInSession($token)
     public function provideInvalidToken()
     {
         return array(
+            array('foo'),
             array(serialize(new \__PHP_Incomplete_Class())),
             array(serialize(null)),
             array(null),

Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,7 @@ public function testInvalidTokenInSession($token)`
`169`	`169`	`public function provideInvalidToken()`
`170`	`170`	`{`
`171`	`171`	`return array(`
	`172`	`+ array('foo'),`
`172`	`173`	`array(serialize(new \__PHP_Incomplete_Class())),`
`173`	`174`	`array(serialize(null)),`
`174`	`175`	`array(null),`