Avoid using scream

thewilkybarkid · thewilkybarkid · commit 23e6feec0a44 · 2018-01-04T11:52:07.000Z
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -77,11 +77,11 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        $token = @unserialize($serializedToken);
-
-        if (false === $token) {
+        try {
+            $token = $this->unserialize($serializedToken);
+        } catch (\ErrorException $e) {
             if (null !== $this->logger) {
-                $this->logger->warning('Failed to unserialize the security token from the session.', array('key' => $this->sessionKey, 'received' => $serializedToken));
+                $this->logger->warning('Failed to unserialize the security token from the session.', array('key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e));
             }
             $token = null;
         }
@@ -178,4 +178,27 @@ protected function refreshUser(TokenInterface $token)
 
         throw new \RuntimeException(sprintf('There is no user provider for user "%s".', get_class($user)));
     }
+
+    private function unserialize($serialized)
+    {
+        $prevUnserializeHandler = ini_set('unserialize_callback_func', '');
+        set_error_handler(function ($type, $message, $file, $line) {
+            throw new \ErrorException($message, 0, $type, $file, $line);
+        });
+
+        try {
+            $unserialized = unserialize($serialized);
+        } catch (\ErrorException $e) {
+            // To be rethrown after restoring the error handler.
+        }
+
+        ini_set('unserialize_callback_func', $prevUnserializeHandler);
+        restore_error_handler();
+
+        if (isset($e)) {
+            throw $e;
+        }
+
+        return $unserialized;
+    }
 }
