[TASK] Use secure deserialization in extension manager 58/57458/3
authorOliver Hader <oliver@typo3.org>
Tue, 3 Jul 2018 14:16:19 +0000 (16:16 +0200)
committerTymoteusz Motylewski <t.motylewski@gmail.com>
Thu, 5 Jul 2018 14:47:51 +0000 (16:47 +0200)
commit728ec5b0e8e46131cdb18ef84ee7b7d851adaef0
tree0c5f5b715ff1abb1ff1db714e9587f7baa3865f2
parentcc6d67cd3bcd74a89549be8a742075aa3b920f3b
[TASK] Use secure deserialization in extension manager

In order to harden the deserialization of scalar and array values
in extension manager unserialize() calls are hardened further to
disallow object reconstitution. The information is retrieved from
the TYPO3 extension repository (TER) where according countermeasures
are in place to protect object injections - that's why this change
is considered as hardening and not as security issue.

Resolves: #85466
Releases: master, 8.7
Change-Id: I65b61d61e08d0c50b27ae9102d7ba4c4518a8788
Reviewed-on: https://review.typo3.org/57458
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
typo3/sysext/extensionmanager/Classes/Utility/Connection/TerUtility.php
typo3/sysext/extensionmanager/Classes/Utility/EmConfUtility.php
typo3/sysext/extensionmanager/Classes/Utility/ExtensionModelUtility.php
typo3/sysext/extensionmanager/Classes/Utility/Parser/AbstractExtensionXmlParser.php