[TASK] unserialize() without objects for extConf 14/48314/4
authorChristian Kuhn <lolli@schwarzbu.ch>
Fri, 27 May 2016 10:22:18 +0000 (12:22 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Fri, 27 May 2016 11:42:44 +0000 (13:42 +0200)
commit7e2ce1d2bb982fee534d6514c30dc4f6b1762120
treeff188d50596ca39d2e267e68bfa398aee3aa0ba7
parente1e34016386d397583cf04dfc43b470f819cd5a3
[TASK] unserialize() without objects for extConf

To mitigate potential "unsecure unserialize()" issues, the new PHP7
feature to allow only specific classes or to totally deny object
creation is rolled out throughout the core in v8.

Since a lot of places use unserialize() and some are critical or
hard to understand, this is done with a series of patches for
single areas.

This patch denies object creation at all places where
$GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['anExtension'] is
unserialized() - the extension manager and ext_conf_template.txt
handling never handles objects at this place, so it should be
safe to deny objects at all places.

Change-Id: Ie96e6fb6837418fd765f883b216b7a9c5af5795d
Resolves: #76320
Releases: master
Reviewed-on: https://review.typo3.org/48314
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
24 files changed:
typo3/sysext/backend/Classes/Controller/BackendController.php
typo3/sysext/backend/Classes/Controller/LoginController.php
typo3/sysext/compatibility7/Classes/Controller/SearchFormController.php
typo3/sysext/css_styled_content/Configuration/TCA/Overrides/pages.php
typo3/sysext/css_styled_content/ext_localconf.php
typo3/sysext/dbal/Classes/Database/DatabaseConnection.php
typo3/sysext/extensionmanager/Classes/Utility/ConfigurationUtility.php
typo3/sysext/extensionmanager/ext_localconf.php
typo3/sysext/fluid_styled_content/Configuration/TCA/Overrides/pages.php
typo3/sysext/fluid_styled_content/ext_localconf.php
typo3/sysext/indexed_search/Classes/Controller/AdministrationController.php
typo3/sysext/indexed_search/Classes/Controller/SearchController.php
typo3/sysext/indexed_search/Classes/FileContentParser.php
typo3/sysext/indexed_search/Classes/Indexer.php
typo3/sysext/indexed_search/ext_localconf.php
typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
typo3/sysext/install/Tests/Unit/Service/SilentConfigurationUpgradeServiceTest.php
typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
typo3/sysext/rsaauth/Classes/BackendWarnings.php
typo3/sysext/rtehtmlarea/ext_localconf.php
typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php
typo3/sysext/scheduler/Classes/Scheduler.php
typo3/sysext/scheduler/ext_localconf.php