Merge branch '4.4' into 5.1

nicolas-grekas · nicolas-grekas · commit 73a70acb2b6e · 2021-01-12T15:25:50.000+01:00
* 4.4:
  Dont allow unserializing classes with a destructor
  Dont allow unserializing classes with a destructor - 4.4
  [Cache] fix possible collision when writing tmp file in filesystem adapter
  a colon followed by spaces exclusively separates mapping keys and values
  Contracts: Remove ellipsis
  fix handling float-like key attribute values
  Fix missing BCC recipients in SES bridge
diff --git a/src/Symfony/Bridge/Monolog/Handler/ElasticsearchLogstashHandler.php b/src/Symfony/Bridge/Monolog/Handler/ElasticsearchLogstashHandler.php
@@ -129,6 +129,16 @@ private function sendToElasticsearch(array $records)
         $this->wait(false);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->wait(true);
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php b/src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/AppKernel.php
@@ -89,6 +89,12 @@ public function __sleep(): array
 
     public function __wakeup()
     {
+        foreach ($this as $k => $v) {
+            if (\is_object($v)) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
+        }
+
         $this->__construct($this->varDir, $this->testCase, $this->rootConfig, $this->environment, $this->debug);
     }
 
diff --git a/src/Symfony/Component/Cache/Traits/FilesystemCommonTrait.php b/src/Symfony/Component/Cache/Traits/FilesystemCommonTrait.php
@@ -93,9 +93,20 @@ private function write(string $file, string $data, int $expiresAt = null)
         set_error_handler(__CLASS__.'::throwError');
         try {
             if (null === $this->tmp) {
-                $this->tmp = $this->directory.uniqid('', true);
+                $this->tmp = $this->directory.bin2hex(random_bytes(6));
             }
-            file_put_contents($this->tmp, $data);
+            try {
+                $h = fopen($this->tmp, 'x');
+            } catch (\ErrorException $e) {
+                if (false === strpos($e->getMessage(), 'File exists')) {
+                    throw $e;
+                }
+
+                $this->tmp = $this->directory.bin2hex(random_bytes(6));
+                $h = fopen($this->tmp, 'x');
+            }
+            fwrite($h, $data);
+            fclose($h);
 
             if (null !== $expiresAt) {
                 touch($this->tmp, $expiresAt);
diff --git a/src/Symfony/Component/Config/Definition/PrototypedArrayNode.php b/src/Symfony/Component/Config/Definition/PrototypedArrayNode.php
@@ -227,6 +227,10 @@ protected function normalizeValue($value)
                 } elseif (isset($v[$this->keyAttribute])) {
                     $k = $v[$this->keyAttribute];
 
+                    if (\is_float($k)) {
+                        $k = var_export($k, true);
+                    }
+
                     // remove the key attribute when required
                     if ($this->removeKeyAttribute) {
                         unset($v[$this->keyAttribute]);
diff --git a/src/Symfony/Component/Config/Tests/Definition/NormalizationTest.php b/src/Symfony/Component/Config/Tests/Definition/NormalizationTest.php
@@ -201,6 +201,32 @@ public function testAssociativeArrayPreserveKeys()
         $this->assertNormalized($tree, $data, $data);
     }
 
+    public function testFloatLikeValueAsMapKeyAttribute()
+    {
+        $tree = (new TreeBuilder('root'))
+            ->getRootNode()
+                ->useAttributeAsKey('number')
+                ->arrayPrototype()
+                    ->children()
+                        ->scalarNode('foo')->end()
+                    ->end()
+                ->end()
+            ->end()
+            ->buildTree()
+        ;
+
+        $this->assertNormalized($tree, [
+            [
+                'number' => 3.0,
+                'foo' => 'bar',
+            ],
+        ], [
+            '3.0' => [
+                'foo' => 'bar',
+            ],
+        ]);
+    }
+
     public static function assertNormalized(NodeInterface $tree, $denormalized, $normalized)
     {
         self::assertSame($normalized, $tree->normalize($denormalized));
diff --git a/src/Symfony/Component/DependencyInjection/Loader/Configurator/AbstractConfigurator.php b/src/Symfony/Component/DependencyInjection/Loader/Configurator/AbstractConfigurator.php
@@ -40,6 +40,16 @@ public function __call(string $method, array $args)
         throw new \BadMethodCallException(sprintf('Call to undefined method "%s::%s()".', static::class, $method));
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Checks that a value is valid, optionally replacing Definition and Reference configurators by their configure value.
      *
diff --git a/src/Symfony/Component/ErrorHandler/BufferingLogger.php b/src/Symfony/Component/ErrorHandler/BufferingLogger.php
@@ -35,6 +35,16 @@ public function cleanLogs(): array
         return $logs;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         foreach ($this->logs as [$level, $message, $context]) {
diff --git a/src/Symfony/Component/Form/Util/OrderedHashMapIterator.php b/src/Symfony/Component/Form/Util/OrderedHashMapIterator.php
@@ -76,6 +76,16 @@ public function __construct(array &$elements, array &$orderedKeys, array &$manag
         $this->managedCursors[$this->cursorId] = &$this->cursor;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Removes the iterator's cursors from the managed cursors of the
      * corresponding {@link OrderedHashMap} instance.
diff --git a/src/Symfony/Component/HttpClient/Chunk/ErrorChunk.php b/src/Symfony/Component/HttpClient/Chunk/ErrorChunk.php
@@ -116,6 +116,16 @@ public function didThrow(): bool
         return $this->didThrow;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         if (!$this->didThrow) {
diff --git a/src/Symfony/Component/HttpClient/CurlHttpClient.php b/src/Symfony/Component/HttpClient/CurlHttpClient.php
@@ -362,6 +362,16 @@ public function reset()
         }
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->reset();
diff --git a/src/Symfony/Component/HttpClient/HttplugClient.php b/src/Symfony/Component/HttpClient/HttplugClient.php
@@ -218,6 +218,16 @@ public function createUri($uri): UriInterface
         throw new \LogicException(sprintf('You cannot use "%s()" as the "nyholm/psr7" package is not installed. Try running "composer require nyholm/psr7".', __METHOD__));
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->wait();
diff --git a/src/Symfony/Component/HttpClient/Response/ResponseTrait.php b/src/Symfony/Component/HttpClient/Response/ResponseTrait.php
@@ -199,6 +199,16 @@ public function toStream(bool $throw = true)
         return $stream;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Closes the response and all its network handles.
      */
diff --git a/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php b/src/Symfony/Component/HttpKernel/DataCollector/DumpDataCollector.php
@@ -179,7 +179,7 @@ public function __wakeup()
         $fileLinkFormat = array_pop($this->data);
         $this->dataCount = \count($this->data);
 
-        self::__construct($this->stopwatch, $fileLinkFormat, $charset);
+        self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
     }
 
     public function getDumpsCount(): int
diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php
@@ -825,6 +825,10 @@ public function __sleep()
 
     public function __wakeup()
     {
+        if (\is_object($this->environment) || \is_object($this->debug)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
+
         $this->__construct($this->environment, $this->debug);
     }
 }
diff --git a/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php b/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php
@@ -35,6 +35,16 @@ class Connection extends AbstractConnection
     /** @var resource */
     private $connection;
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->disconnect();
diff --git a/src/Symfony/Component/Ldap/Adapter/ExtLdap/Query.php b/src/Symfony/Component/Ldap/Adapter/ExtLdap/Query.php
@@ -38,6 +38,16 @@ public function __construct(Connection $connection, string $dn, string $query, a
         parent::__construct($connection, $dn, $query, $options);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $con = $this->connection->getResource();
diff --git a/src/Symfony/Component/Lock/Lock.php b/src/Symfony/Component/Lock/Lock.php
@@ -50,6 +50,16 @@ public function __construct(Key $key, PersistingStoreInterface $store, float $tt
         $this->logger = new NullLogger();
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Automatically releases the underlying lock when the object is destructed.
      */
diff --git a/src/Symfony/Component/Mailer/Bridge/Amazon/Tests/Transport/SesHttpTransportTest.php b/src/Symfony/Component/Mailer/Bridge/Amazon/Tests/Transport/SesHttpTransportTest.php
@@ -63,6 +63,12 @@ public function testSend()
             $this->assertStringContainsString('AWS3-HTTPS AWSAccessKeyId=ACCESS_KEY,Algorithm=HmacSHA256,Signature=', $options['headers'][0] ?? $options['request_headers'][0]);
 
             parse_str($options['body'], $body);
+
+            $this->assertArrayHasKey('Destinations_member_1', $body);
+            $this->assertSame('saif.gmati@symfony.com', $body['Destinations_member_1']);
+            $this->assertArrayHasKey('Destinations_member_2', $body);
+            $this->assertSame('jeremy@derusse.com', $body['Destinations_member_2']);
+
             $content = base64_decode($body['RawMessage_Data']);
 
             $this->assertStringContainsString('Hello!', $content);
@@ -86,6 +92,7 @@ public function testSend()
         $mail = new Email();
         $mail->subject('Hello!')
             ->to(new Address('saif.gmati@symfony.com', 'Saif Eddin'))
+            ->bcc(new Address('jeremy@derusse.com', 'Jérémy Derussé'))
             ->from(new Address('fabpot@symfony.com', 'Fabien'))
             ->text('Hello There!');
 
diff --git a/src/Symfony/Component/Mailer/Bridge/Amazon/Transport/SesHttpTransport.php b/src/Symfony/Component/Mailer/Bridge/Amazon/Transport/SesHttpTransport.php
@@ -54,7 +54,7 @@ protected function doSendHttp(SentMessage $message): ResponseInterface
         $date = gmdate('D, d M Y H:i:s e');
         $auth = sprintf('AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=HmacSHA256,Signature=%s', $this->accessKey, $this->getSignature($date));
 
-        $response = $this->client->request('POST', 'https://'.$this->getEndpoint(), [
+        $request = [
             'headers' => [
                 'X-Amzn-Authorization' => $auth,
                 'Date' => $date,
@@ -63,7 +63,13 @@ protected function doSendHttp(SentMessage $message): ResponseInterface
                 'Action' => 'SendRawEmail',
                 'RawMessage.Data' => base64_encode($message->toString()),
             ],
-        ]);
+        ];
+        $index = 1;
+        foreach ($message->getEnvelope()->getRecipients() as $recipient) {
+            $request['body']['Destinations.member.'.$index++] = $recipient->getAddress();
+        }
+
+        $response = $this->client->request('POST', 'https://'.$this->getEndpoint(), $request);
 
         $result = new \SimpleXMLElement($response->getContent(false));
         if (200 !== $response->getStatusCode()) {
diff --git a/src/Symfony/Component/Mailer/Transport/Smtp/SmtpTransport.php b/src/Symfony/Component/Mailer/Transport/Smtp/SmtpTransport.php
@@ -340,6 +340,16 @@ private function checkRestartThreshold(): void
         $this->restartCounter = 0;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->stop();
diff --git a/src/Symfony/Component/Mime/Part/DataPart.php b/src/Symfony/Component/Mime/Part/DataPart.php
@@ -155,7 +155,13 @@ public function __wakeup()
         $r->setValue($this, $this->_headers);
         unset($this->_headers);
 
+        if (!\is_array($this->_parent)) {
+            throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+        }
         foreach (['body', 'charset', 'subtype', 'disposition', 'name', 'encoding'] as $name) {
+            if (null !== $this->_parent[$name] && !\is_string($this->_parent[$name])) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
             $r = new \ReflectionProperty(TextPart::class, $name);
             $r->setAccessible(true);
             $r->setValue($this, $this->_parent[$name]);
diff --git a/src/Symfony/Component/Process/Pipes/UnixPipes.php b/src/Symfony/Component/Process/Pipes/UnixPipes.php
@@ -35,6 +35,16 @@ public function __construct(?bool $ttyMode, bool $ptyMode, $input, bool $haveRea
         parent::__construct($input);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->close();
diff --git a/src/Symfony/Component/Process/Pipes/WindowsPipes.php b/src/Symfony/Component/Process/Pipes/WindowsPipes.php
@@ -88,6 +88,16 @@ public function __construct($input, bool $haveReadSupport)
         parent::__construct($input);
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->close();
diff --git a/src/Symfony/Component/Process/Process.php b/src/Symfony/Component/Process/Process.php
diff --git a/src/Symfony/Component/Routing/Loader/Configurator/CollectionConfigurator.php b/src/Symfony/Component/Routing/Loader/Configurator/CollectionConfigurator.php
diff --git a/src/Symfony/Component/Routing/Loader/Configurator/ImportConfigurator.php b/src/Symfony/Component/Routing/Loader/Configurator/ImportConfigurator.php
diff --git a/src/Symfony/Component/Yaml/Parser.php b/src/Symfony/Component/Yaml/Parser.php
diff --git a/src/Symfony/Component/Yaml/Tests/InlineTest.php b/src/Symfony/Component/Yaml/Tests/InlineTest.php
diff --git a/src/Symfony/Component/Yaml/Tests/ParserTest.php b/src/Symfony/Component/Yaml/Tests/ParserTest.php
diff --git a/src/Symfony/Contracts/README.md b/src/Symfony/Contracts/README.md

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,12 @@ public function __sleep(): array`
`89`	`89`
`90`	`90`	`public function __wakeup()`
`91`	`91`	`{`
	`92`	`+ foreach ($this as $k => $v) {`
	`93`	`+ if (\is_object($v)) {`
	`94`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`95`	`+ }`
	`96`	`+ }`
	`97`	`+`
`92`	`98`	`$this->__construct($this->varDir, $this->testCase, $this->rootConfig, $this->environment, $this->debug);`
`93`	`99`	`}`
`94`	`100`
Original file line number	Diff line number	Diff line change
`@@ -362,6 +362,16 @@ public function reset()`
`362`	`362`	`}`
`363`	`363`	`}`
`364`	`364`
	`365`	`+ public function __sleep()`
	`366`	`+ {`
	`367`	`+ throw new \BadMethodCallException('Cannot serialize '.__CLASS__);`
	`368`	`+ }`
	`369`	`+`
	`370`	`+ public function __wakeup()`
	`371`	`+ {`
	`372`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`373`	`+ }`
	`374`	`+`
`365`	`375`	`public function __destruct()`
`366`	`376`	`{`
`367`	`377`	`$this->reset();`