Skip to content

Commit

Permalink
Prevent unserializing the generator
Browse files Browse the repository at this point in the history
  • Loading branch information
@Nyholm
Nyholm committed Dec 11, 2020
1 parent b07d15b commit fb44f85
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 0 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# CHANGELOG

## 2020-12-11, v1.9.2

This is a security release that prevents a hacker to execute code on the server.

## 2019-12-03, v1.9.1

- Add link to PHPStan extension to readme [\#1834](https://github.com/fzaninotto/Faker/pull/1834) ([finwe](https://github.com/finwe))
Expand Down
5 changes: 5 additions & 0 deletions src/Faker/Generator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -289,4 +289,9 @@ public function __destruct()
{
$this->seed();
}

public function __wakeup()
{
$this->formatters = array();
}
}

5 comments on commit fb44f85

@glensc
Copy link

@glensc glensc commented on fb44f85 Jan 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird that in the original project the same change was made as breaking PHP 5.3 compatibility:

I came to this because I was using the original project (without composer.lock) and it had updated to 1.9.1->1.9.2 which is breaking change for PHP 5.3 in the original project:

As the original project is archived, can not report this via formal way,
I contacted @fzaninotto via email (on Dec 28 2020) that he remove 1.9.2 and optionally release 1.9.3 with a proper fix because it's semver incompatible change. But as none of such was done, I'm posting it here publicly in hope of better visibility.

and as this commit itself here seems to be without PR, leaving this in commit comment.

@Nyholm
Copy link
Member Author

@Nyholm Nyholm commented on fb44f85 Jan 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that this broke PHP 5.3 for you.

This was a coordinated security fix and I will not make any further changes to the 1.9 branch related to this.

Im sorry if this is an inconvenience for you. I would strongly recommend you to update your platform to a supported version of PHP. A workaround for you while you are updating PHP is to stick with version 1.9.1.

@glensc
Copy link

@glensc glensc commented on fb44f85 Jan 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Nyholm thank you for responding.

however, the message was directed to @fzaninotto, as fzaninotto/[email protected] is broken (this commit fzaninotto@848d812) the fork, fakerphp/[email protected] is okay (this commit: fb44f85)

@GrahamCampbell
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everyone should switch to this package instead. It won't cause composer conflicts, even if your subdependencies depend on the original package, because we explicitly replace 1.9.2 of the old package with 1.9.2 of this package.

@GrahamCampbell
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would vote against the upstream package doing anything. If anything this is helpful, highlighting the need for people to migrate to this package.

Please sign in to comment.