bug #39794 Dont allow unserializing classes with a destructor - 4.4 (jderusse)

nicolas-grekas · nicolas-grekas · commit 256f40579d51 · 2021-01-12T10:49:10.000+01:00
This PR was merged into the 4.4 branch.

Discussion
----------

Dont allow unserializing classes with a destructor - 4.4

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | -
| License       | MIT
| Doc PR        | -

Prevent destructors with side-effects from being unserialized

Commits
-------

955395c999 Dont allow unserializing classes with a destructor - 4.4
diff --git a/Chunk/ErrorChunk.php b/Chunk/ErrorChunk.php
@@ -115,6 +115,16 @@ public function didThrow(): bool
         return $this->didThrow;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         if (!$this->didThrow) {
diff --git a/CurlHttpClient.php b/CurlHttpClient.php
@@ -362,6 +362,16 @@ public function reset()
         }
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->reset();
diff --git a/HttplugClient.php b/HttplugClient.php
@@ -218,6 +218,16 @@ public function createUri($uri): UriInterface
         throw new \LogicException(sprintf('You cannot use "%s()" as the "nyholm/psr7" package is not installed. Try running "composer require nyholm/psr7".', __METHOD__));
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     public function __destruct()
     {
         $this->wait();
diff --git a/Response/ResponseTrait.php b/Response/ResponseTrait.php
@@ -199,6 +199,16 @@ public function toStream(bool $throw = true)
         return $stream;
     }
 
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
+    }
+
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+    }
+
     /**
      * Closes the response and all its network handles.
      */

Original file line number	Diff line number	Diff line change
`@@ -362,6 +362,16 @@ public function reset()`
`362`	`362`	`}`
`363`	`363`	`}`
`364`	`364`
	`365`	`+ public function __sleep()`
	`366`	`+ {`
	`367`	`+ throw new \BadMethodCallException('Cannot serialize '.__CLASS__);`
	`368`	`+ }`
	`369`	`+`
	`370`	`+ public function __wakeup()`
	`371`	`+ {`
	`372`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`373`	`+ }`
	`374`	`+`
`365`	`375`	`public function __destruct()`
`366`	`376`	`{`
`367`	`377`	`$this->reset();`