Merge branch '3.3' into 3.4

* 3.3:
  [Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
  Tweaked some styles in the profiler tables
  Add type string to docblock for Process::setInput()
  [Security] Fail gracefully if the security token cannot be unserialized from the session
  [Form] AbstractLayoutTest - fix DOMDocument casing
  Run simple-phpunit with --no-suggest option
  [FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
  bumped Symfony version to 3.3.16
  updated VERSION for 3.3.15
  updated CHANGELOG for 3.3.15
  bumped Symfony version to 2.8.34
  updated VERSION for 2.8.33
  updated CHANGELOG for 2.8.33
  bumped Symfony version to 2.7.41
  updated VERSION for 2.7.40
  update CONTRIBUTORS for 2.7.40
  updated CHANGELOG for 2.7.40

Author: xabbuh

Http/Firewall/ContextListener.php

@@ -45,6 +45,8 @@ class ContextListener implements ListenerInterface
     private $trustResolver;
     private $logoutOnUserChange = false;
 
+    private static $unserializeExceptionCode = 0x37313bc;
+
     /**
      * @param TokenStorageInterface                     $tokenStorage
      * @param iterable|UserProviderInterface[]          $userProviders
@@ -96,7 +98,7 @@ public function handle(GetResponseEvent $event)
             return;
         }
 
-        $token = unserialize($token);
+        $token = $this->safelyUnserialize($token);
 
         if (null !== $this->logger) {
             $this->logger->debug('Read existing security token from the session.', array(
@@ -219,4 +221,43 @@ protected function refreshUser(TokenInterface $token)
 
         throw new \RuntimeException(sprintf('There is no user provider for user "%s".', get_class($user)));
     }
+
+    private function safelyUnserialize($serializedToken)
+    {
+        $e = $token = null;
+        $prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
+        $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = array()) use (&$prevErrorHandler) {
+            if (__FILE__ === $file) {
+                throw new \UnexpectedValueException($msg, self::$unserializeExceptionCode);
+            }
+
+            return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
+        });
+
+        try {
+            $token = unserialize($serializedToken);
+        } catch (\Error $e) {
+        } catch (\Exception $e) {
+        }
+        restore_error_handler();
+        ini_set('unserialize_callback_func', $prevUnserializeHandler);
+        if ($e) {
+            if (!$e instanceof \UnexpectedValueException || self::$unserializeExceptionCode !== $e->getCode()) {
+                throw $e;
+            }
+            if ($this->logger) {
+                $this->logger->warning('Failed to unserialize the security token from the session.', array('key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e));
+            }
+        }
+
+        return $token;
+    }
+
+    /**
+     * @internal
+     */
+    public static function handleUnserializeCallback($class)
+    {
+        throw new \UnexpectedValueException('Class not found: '.$class, self::$unserializeExceptionCode);
+    }
 }

Http/Tests/Firewall/ContextListenerTest.php

@@ -173,6 +173,8 @@ public function testInvalidTokenInSession($token)
     public function provideInvalidToken()
     {
         return array(
+            array('foo'),
+            array('O:8:"NotFound":0:{}'),
             array(serialize(new \__PHP_Incomplete_Class())),
             array(serialize(null)),
             array(null),