bug #29621 [Security] Prefer clone() over unserialize(serialize()) fo…

…r user refreshment (chalasr) This PR was merged into the 3.4 branch. Discussion ---------- [Security] Prefer clone() over unserialize(serialize()) for user refreshment | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #29459 | License | MIT | Doc PR | n/a To not hit the `serialize()` bug reported in the related ticket Commits ------- a8eba80 [Security] Prefer clone over unserialize(serialize()) for user refreshment
symfony · Dec 17, 2018 · 49c21d5 · 49c21d5
2 parents d1bf595 + a8eba80
commit 49c21d5
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -170,7 +170,7 @@ protected function refreshUser(TokenInterface $token)
 
             try {
                 $refreshedUser = $provider->refreshUser($user);
-                $newToken = unserialize(serialize($token));
+                $newToken = clone $token;
                 $newToken->setUser($refreshedUser);
 
                 // tokens can be deauthenticated if the user has been changed.