New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible issue with unserialize in PHP 7.3 #29459
Comments
For me, I just had my User entity implement \Serializable and limited what gets serialized, so its just an array. If you were using FOSUserBundle you would not have this problem |
Reproduced this in 4.1.7 |
Having the same issue on PHP 7.3.0. |
Could someone please provide a minimal app with enough code to reproduce? |
I'm facing the exact same issue with 4.1.* and 4.2.* when using PHP 7.2. |
Hi, same issue for me with docker. ( php7.3.0-fpm )
|
@broncha yes surely it can be a temporary fix (and perhaps best practice), but this is still a bug. If object is not supported, then exception should be thrown when we try to store an object inside. |
@javiereguiluz 7.2 with 3.4.20 works for me, perhaps things are different on 4.x. For now with 3.4.x I only see breaks in php 7.3 |
I've debugged this a bit more. First: this is NOT a PHP 7.3 issue. I don't have PHP 7.3 on my machine and I suffered this issue when upgrading Symfony. The most recent Symfony version that works for me is 4.1.6. All the following versions show the same error: 4.1.7, 4.1.8, 4.1.9, 4.2.0 and 4.2.1. |
@yellow1912 I agree. At least this is not blocking anything anymore for me. |
Could anyone provide an example application that allows to reproduce? |
Some guessing: Are you all using the entity user provider? And did you by any chance also update Doctrine related packages? |
@xabbuh i was using custom provider. Not the stock entity provider. I might have updated doctrine packages. |
For me I was using FOS but then later dropped it and now also using our own user provider. For doctrine, I think we updated it along with SF as well. |
@javiereguiluz it seem like PHP problem, see https://3v4l.org/gTumn It is serialized user at 7.3.0 at symfony 3.4.20, custom authenticator from SimpleFormAuthenticatorInterface |
Looks like a php 7.3 bug, did anyone report it to get feedback from the PHP team? |
@nicolas-grekas I'm not sure. I don't have PHP 7.3 on my machine (I have PHP 7.2.7) and I can see this error with some Symfony versions but not others:
|
@javiereguiluz Could you give the steps to reproduce? Does it happen on |
@chalasr it's a private app ... and it's complex ... I tried to extract a reproducer but it's not possible to me :( I'm going to send you via email the full error page in case you see something in the error trace. Thanks! |
@nicolas-grekas there was no similar issue at bug tracker, so I've reported it https://bugs.php.net/bug.php?id=77302 |
I reproduced the issue on an app, there is definitely a PHP bug:
We hit the bug because of this line added in 4.1.7. |
I confirm that reverting the changes made in #28072 fixed the problem for me. Thanks Nicolas! |
See #29621 for the fix |
…r user refreshment (chalasr) This PR was merged into the 3.4 branch. Discussion ---------- [Security] Prefer clone() over unserialize(serialize()) for user refreshment | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #29459 | License | MIT | Doc PR | n/a To not hit the `serialize()` bug reported in the related ticket Commits ------- a8eba80 [Security] Prefer clone over unserialize(serialize()) for user refreshment
Another place where php bug is hit symfony/src/Symfony/Component/Security/Core/Authentication/Token/UsernamePasswordToken.php Lines 89 to 104 in f2590d1
|
I would bet that there will be other places which are using serialize/unserialize and where can end up embedded objects. |
@analogic did you actually hit the bug in other places? Can you provide some stack trace/reproducer? |
I had it yesterday in a Datacollector. Forgot to take detail |
@nicolas-grekas not yet, UsernamePasswordToken.php only (fix not works for me). Imho there is not much what can be done at symfony, I will adjust my user structure... |
Hi there, providers: I hope, this helps to solve the problem. If there are more questions arising, I wil be glad to answer them. |
Ok, it seems to be a problem arising from using php v7.3.0. When I use v7.1.25, everything works fine. But still it would be awesome if there would be a work around so noone runs into this php-based error:) |
That's a PHP bug, it should be reported on http://bugs.php.net/ with a simple reproducer. |
Ok, I will try to build a simple application asap:) |
If you report PHP bug, I think you can add the example to this one: https://bugs.php.net/bug.php?id=77302 It will help the php developers to confirm the existence of this known bug. |
The same issue exist in |
@toooni found same issue, silenced error in logs :
|
From PHP bug discussion:
So I bet it will not be fixed until php 7.4 and we have to use some workaround. |
Same issue with php 7.3 and symfony 4.2, with php 7.2.14 all works fine. |
See #29951 |
Symfony 2.8 isn't maintained anymore since a long time. You should update to a supported version first and check if that already resolves your issue. |
Symfony version(s) affected: 3.4.19
Description
Upon upgrading to PHP 7.3, we run into issue with the unserialization of the user/token object when login.
The error is like this:
The exact error happens in:
in vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php (line 155)
How to reproduce
It seems like this is due to the serialized object contains object class inside it.
Not sure what changed in PHP 7.3 RC6, at first I thought it could be the unserialize now requires allowed_classes option to be set to true explicitly, I tried that by editing Symfony code but it didn't help
Possible Solution
Not a clue for now
Additional context
Everything was running fine on PHP 7.2 so it must be the changes in 7.3 RC6 that break things.
I attached here a sample of the string to unserialize:
https://gist.github.com/yellow1912/43e4009e0384426ccfa017feb0eedcc9
The text was updated successfully, but these errors were encountered: