Merge branch '2.8' into 3.3

* 2.8:
  [Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
  Tweaked some styles in the profiler tables
  [Security] Fail gracefully if the security token cannot be unserialized from the session
  [Form] AbstractLayoutTest - fix DOMDocument casing
  bumped Symfony version to 2.8.34
  updated VERSION for 2.8.33
  updated CHANGELOG for 2.8.33
  bumped Symfony version to 2.7.41
  updated VERSION for 2.7.40
  update CONTRIBUTORS for 2.7.40
  updated CHANGELOG for 2.7.40

Author: xabbuh

Http/Firewall/ContextListener.php

@@ -43,6 +43,8 @@ class ContextListener implements ListenerInterface
     private $registered;
     private $trustResolver;
 
+    private static $unserializeExceptionCode = 0x37313bc;
+
     public function __construct(TokenStorageInterface $tokenStorage, array $userProviders, $contextKey, LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, AuthenticationTrustResolverInterface $trustResolver = null)
     {
         if (empty($contextKey)) {
@@ -82,7 +84,7 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        $token = unserialize($token);
+        $token = $this->safelyUnserialize($token);
 
         if (null !== $this->logger) {
             $this->logger->debug('Read existing security token from the session.', array('key' => $this->sessionKey));
@@ -176,4 +178,43 @@ protected function refreshUser(TokenInterface $token)
 
         throw new \RuntimeException(sprintf('There is no user provider for user "%s".', get_class($user)));
     }
+
+    private function safelyUnserialize($serializedToken)
+    {
+        $e = $token = null;
+        $prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
+        $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = array()) use (&$prevErrorHandler) {
+            if (__FILE__ === $file) {
+                throw new \UnexpectedValueException($msg, self::$unserializeExceptionCode);
+            }
+
+            return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
+        });
+
+        try {
+            $token = unserialize($serializedToken);
+        } catch (\Error $e) {
+        } catch (\Exception $e) {
+        }
+        restore_error_handler();
+        ini_set('unserialize_callback_func', $prevUnserializeHandler);
+        if ($e) {
+            if (!$e instanceof \UnexpectedValueException || self::$unserializeExceptionCode !== $e->getCode()) {
+                throw $e;
+            }
+            if ($this->logger) {
+                $this->logger->warning('Failed to unserialize the security token from the session.', array('key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e));
+            }
+        }
+
+        return $token;
+    }
+
+    /**
+     * @internal
+     */
+    public static function handleUnserializeCallback($class)
+    {
+        throw new \UnexpectedValueException('Class not found: '.$class, self::$unserializeExceptionCode);
+    }
 }

Http/Tests/Firewall/ContextListenerTest.php

@@ -177,6 +177,8 @@ public function testInvalidTokenInSession($token)
     public function provideInvalidToken()
     {
         return array(
+            array('foo'),
+            array('O:8:"NotFound":0:{}'),
             array(serialize(new \__PHP_Incomplete_Class())),
             array(serialize(null)),
             array(null),