[SECURITY] Explicitly deny object deserialization 46/57546/2
authorOliver Hader <oliver@typo3.org>
Thu, 12 Jul 2018 09:32:17 +0000 (11:32 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 12 Jul 2018 09:32:22 +0000 (11:32 +0200)
Resolves: #85385
Releases: master, 8.7, 7.6
Security-Commit: 6a294ad6b15677b41b90d93ad8690b92048404fe
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: I710a0b7d6bfdb425380aebe3cbd7f88e73eb6b21
Reviewed-on: https://review.typo3.org/57546
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
typo3/sysext/rsaauth/Tests/Unit/Backend/CommandLineBackendTest.php

index d7973c0..6c00efa 100644 (file)
@@ -68,6 +68,20 @@ class CommandLineBackend extends AbstractBackend
     }
 
     /**
+     * Denies deserialization.
+     */
+    public function __wakeup()
+    {
+        $this->opensslPath = null;
+        $this->temporaryDirectory = null;
+
+        throw new \RuntimeException(
+            __CLASS__ . ' cannot be unserialized',
+            1531336156
+        );
+    }
+
+    /**
      * Creates a new key pair for the encryption or gets the existing key pair (if one already has been generated).
      *
      * There should only be one key pair per request because the second private key would overwrites the first private
index b74a403..b24a87e 100644 (file)
@@ -28,10 +28,6 @@ class CommandLineBackendTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestC
 
     protected function setUp()
     {
-        if (TYPO3_OS === 'WIN') {
-            $this->markTestSkipped('This test is not available on Windows as auto-detection of openssl path will fail.');
-        }
-
         $this->subject = new CommandLineBackend();
     }
 
@@ -40,6 +36,7 @@ class CommandLineBackendTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestC
      */
     public function createNewKeyPairCreatesReadyKeyPair()
     {
+        $this->skipIfWindows();
         $keyPair = $this->subject->createNewKeyPair();
         if ($keyPair === null) {
             $this->markTestSkipped('KeyPair could not be generated. Maybe openssl was not found.');
@@ -53,6 +50,7 @@ class CommandLineBackendTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestC
      */
     public function createNewKeyPairCreatesKeyPairWithDefaultExponent()
     {
+        $this->skipIfWindows();
         $keyPair = $this->subject->createNewKeyPair();
         if ($keyPair === null) {
             $this->markTestSkipped('KeyPair could not be generated. Maybe openssl was not found.');
@@ -69,9 +67,49 @@ class CommandLineBackendTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestC
      */
     public function createNewKeyPairCalledTwoTimesReturnsSameKeyPairInstance()
     {
+        $this->skipIfWindows();
         $this->assertSame(
             $this->subject->createNewKeyPair(),
             $this->subject->createNewKeyPair()
         );
     }
+
+    /**
+     * @test
+     */
+    public function doesNotAllowUnserialization()
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionCode(1531336156);
+
+        $subject = new CommandLineBackend();
+        $serialized = serialize($subject);
+        unserialize($serialized);
+    }
+
+    /**
+     * @test
+     */
+    public function unsetsPathsOnUnserialization()
+    {
+        try {
+            $subject = $this->getAccessibleMock(CommandLineBackend::class);
+            $subject->_set('opensslPath', 'foo');
+            $subject->_set('temporaryDirectory', 'foo');
+            $serialized = serialize($subject);
+            unserialize($serialized);
+        } catch (\RuntimeException $e) {
+            $this->assertNull($subject->_get('opensslPath'));
+            $this->assertNull($subject->_get('temporaryDirectory'));
+        }
+    }
+
+    protected function skipIfWindows()
+    {
+        if (TYPO3_OS === 'WIN') {
+            $this->markTestSkipped(
+                'This test is not available on Windows as auto-detection of openssl path will fail.'
+            );
+        }
+    }
 }