Merge branch '3.4' into 4.0

* 3.4: (26 commits)
  [Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
  [HttpKernel] Fix session handling: decouple "save" from setting response "private"
  swap filter/function and package names
  [HttpFoundation] Always call proxied handler::destroy() in StrictSessionHandler
  [HttpKernel] Fix compile error when a legacy container is fresh again
  Add tests for the HttpKernel request collector and redirection via cookies
  Uses cookies to track the requests redirection
  Tweaked some styles in the profiler tables
  Add type string to docblock for Process::setInput()
  [Security] Fail gracefully if the security token cannot be unserialized from the session
  [Form] AbstractLayoutTest - fix DOMDocument casing
  Run simple-phpunit with --no-suggest option
  [FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
  bumped Symfony version to 3.4.4
  updated VERSION for 3.4.3
  updated CHANGELOG for 3.4.3
  bumped Symfony version to 3.3.16
  updated VERSION for 3.3.15
  updated CHANGELOG for 3.3.15
  bumped Symfony version to 2.8.34
  ...

Author: xabbuh

Http/Firewall/ContextListener.php

@@ -44,6 +44,8 @@ class ContextListener implements ListenerInterface
     private $registered;
     private $trustResolver;
 
+    private static $unserializeExceptionCode = 0x37313bc;
+
     /**
      * @param TokenStorageInterface                     $tokenStorage
      * @param iterable|UserProviderInterface[]          $userProviders
@@ -91,7 +93,7 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        $token = unserialize($token);
+        $token = $this->safelyUnserialize($token);
 
         if (null !== $this->logger) {
             $this->logger->debug('Read existing security token from the session.', array(
@@ -210,4 +212,43 @@ protected function refreshUser(TokenInterface $token)
 
         throw new \RuntimeException(sprintf('There is no user provider for user "%s".', get_class($user)));
     }
+
+    private function safelyUnserialize($serializedToken)
+    {
+        $e = $token = null;
+        $prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
+        $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = array()) use (&$prevErrorHandler) {
+            if (__FILE__ === $file) {
+                throw new \UnexpectedValueException($msg, self::$unserializeExceptionCode);
+            }
+
+            return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
+        });
+
+        try {
+            $token = unserialize($serializedToken);
+        } catch (\Error $e) {
+        } catch (\Exception $e) {
+        }
+        restore_error_handler();
+        ini_set('unserialize_callback_func', $prevUnserializeHandler);
+        if ($e) {
+            if (!$e instanceof \UnexpectedValueException || self::$unserializeExceptionCode !== $e->getCode()) {
+                throw $e;
+            }
+            if ($this->logger) {
+                $this->logger->warning('Failed to unserialize the security token from the session.', array('key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e));
+            }
+        }
+
+        return $token;
+    }
+
+    /**
+     * @internal
+     */
+    public static function handleUnserializeCallback($class)
+    {
+        throw new \UnexpectedValueException('Class not found: '.$class, self::$unserializeExceptionCode);
+    }
 }

Http/Tests/Firewall/ContextListenerTest.php

@@ -173,6 +173,8 @@ public function testInvalidTokenInSession($token)
     public function provideInvalidToken()
     {
         return array(
+            array('foo'),
+            array('O:8:"NotFound":0:{}'),
             array(serialize(new \__PHP_Incomplete_Class())),
             array(serialize(null)),
             array(null),