[TASK] Use secure deserialization in extension manager 77/57477/2
authorOliver Hader <oliver@typo3.org>
Tue, 3 Jul 2018 14:16:19 +0000 (16:16 +0200)
committerTymoteusz Motylewski <t.motylewski@gmail.com>
Fri, 6 Jul 2018 07:24:45 +0000 (09:24 +0200)
commit09856b40f1c2166b33b6d4a1fa08cf10d253bf44
tree6a020c8f83b61ac68ead8b0934713f04f5feb915
parente74234825082964d685dc8dfbdb073649f2a3af9
[TASK] Use secure deserialization in extension manager

In order to harden the deserialization of scalar and array values
in extension manager unserialize() calls are hardened further to
disallow object reconstitution. The information is retrieved from
the TYPO3 extension repository (TER) where according countermeasures
are in place to protect object injections - that's why this change
is considered as hardening and not as security issue.

Resolves: #85466
Releases: master, 8.7
Change-Id: I65b61d61e08d0c50b27ae9102d7ba4c4518a8788
Reviewed-on: https://review.typo3.org/57477
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
typo3/sysext/extensionmanager/Classes/Utility/Connection/TerUtility.php
typo3/sysext/extensionmanager/Classes/Utility/EmConfUtility.php
typo3/sysext/extensionmanager/Classes/Utility/ExtensionModelUtility.php
typo3/sysext/extensionmanager/Classes/Utility/Parser/AbstractExtensionXmlParser.php