[SECURITY] Disallow insecure deserialization for l18n_diffsource 46/61146/2
authorOliver Hader <oliver@typo3.org>
Tue, 25 Jun 2019 06:42:25 +0000 (08:42 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 25 Jun 2019 06:42:30 +0000 (08:42 +0200)
commit647aa7afa582983cddc547fa106d31e2b1ef34fe
tree8e63dfaaec7a6a7a3977533a48c28a6bde6f0011
parent75cc3d6bfedf70c2120ef8c6f6dd104e905c1569
[SECURITY] Disallow insecure deserialization for l18n_diffsource

Serialized values in l18n_diffsource are vulnerable to insecure
deserialization when being invoked in FormEngine or DataHandler.

Resolves: #88323
Releases: master, 9.5, 8.7
Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63
Security-Bulletin: TYPO3-CORE-SA-2019-020
Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php
typo3/sysext/core/Classes/DataHandling/DataHandler.php