[SECURITY] Unsafe unserialize of GET parameter in Add-Wizard
[Packages/TYPO3.CMS.git] / typo3 / sysext / backend / Classes / Controller / Wizard / AddController.php
index f91bba8..e915a2b 100644 (file)
@@ -121,7 +121,7 @@ class AddController {
                // Else proceed:
                // If a new id has returned from a newly created record...
                if ($this->returnEditConf) {
-                       $eC = unserialize($this->returnEditConf);
+                       $eC = json_decode($this->returnEditConf, TRUE);
                        if (is_array($eC[$this->table]) && \TYPO3\CMS\Core\Utility\MathUtility::canBeInterpretedAsInteger($this->P['uid'])) {
                                // Getting id and cmd from returning editConf array.
                                reset($eC[$this->table]);