minor #21090 Secure unserialize by restricting allowed classes when using PHP 7 (dbrumann)

This PR was merged into the 3.3-dev branch.

Discussion
----------

Secure unserialize by restricting allowed classes when using PHP 7

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | ---
| License       | MIT
| Doc PR        | ---

While playing around with Symfony in a PHP 7.1 application I noticed a warning in how EnvParameterResoure uses unserialize. Since PHP 7.0 introduced the options argument which allows to restrict which classes can be unserialized for better security, it might make sense to use it here. As far as I can tell this is no BC break, it only provides an additional safety mechanism.

Commits
-------

b4201810b9 Conditionally add options to unserialize in PHP 7.0+.

Author: fabpot

FormError.php

@@ -185,6 +185,10 @@ public function serialize()
      */
     public function unserialize($serialized)
     {
-        list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized);
+        if (PHP_VERSION_ID >= 70000) {
+            list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized, array('allowed_classes' => false));
+        } else {
+            list($this->message, $this->messageTemplate, $this->messageParameters, $this->messagePluralization, $this->cause) = unserialize($serialized);
+        }
     }
 }