[TASK] Use secure deserialization in extension manager 58/57458/3
authorOliver Hader <oliver@typo3.org>
Tue, 3 Jul 2018 14:16:19 +0000 (16:16 +0200)
committerTymoteusz Motylewski <t.motylewski@gmail.com>
Thu, 5 Jul 2018 14:47:51 +0000 (16:47 +0200)
In order to harden the deserialization of scalar and array values
in extension manager unserialize() calls are hardened further to
disallow object reconstitution. The information is retrieved from
the TYPO3 extension repository (TER) where according countermeasures
are in place to protect object injections - that's why this change
is considered as hardening and not as security issue.

Resolves: #85466
Releases: master, 8.7
Change-Id: I65b61d61e08d0c50b27ae9102d7ba4c4518a8788
Reviewed-on: https://review.typo3.org/57458
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
typo3/sysext/extensionmanager/Classes/Utility/Connection/TerUtility.php
typo3/sysext/extensionmanager/Classes/Utility/EmConfUtility.php
typo3/sysext/extensionmanager/Classes/Utility/ExtensionModelUtility.php
typo3/sysext/extensionmanager/Classes/Utility/Parser/AbstractExtensionXmlParser.php

index 05b54af..4185c53 100644 (file)
@@ -91,7 +91,7 @@ class TerUtility
                     throw new ExtensionManagerException('Decoding Error: No decompressor available for compressed content. gzuncompress() function is not available!', 1342859463);
                 }
             }
                     throw new ExtensionManagerException('Decoding Error: No decompressor available for compressed content. gzuncompress() function is not available!', 1342859463);
                 }
             }
-            $listArr = unserialize($dat);
+            $listArr = unserialize($dat, ['allowed_classes' => false]);
             if (!is_array($listArr)) {
                 throw new ExtensionManagerException('Error: Unserialized information was not an array - strange!', 1342859489);
             }
             if (!is_array($listArr)) {
                 throw new ExtensionManagerException('Error: Unserialized information was not an array - strange!', 1342859489);
             }
@@ -120,7 +120,7 @@ class TerUtility
             }
         }
         if (md5($parts[2]) === $parts[0]) {
             }
         }
         if (md5($parts[2]) === $parts[0]) {
-            $output = unserialize($parts[2]);
+            $output = unserialize($parts[2], ['allowed_classes' => false]);
             if (!is_array($output)) {
                 throw new ExtensionManagerException('Error: Content could not be unserialized to an array. Strange (since MD5 hashes match!)', 1344761938);
             }
             if (!is_array($output)) {
                 throw new ExtensionManagerException('Error: Content could not be unserialized to an array. Strange (since MD5 hashes match!)', 1344761938);
             }
index 4815f23..d150d6e 100644 (file)
@@ -54,7 +54,7 @@ class EmConfUtility implements SingletonInterface
     public function constructEmConf(array $extensionData, \TYPO3\CMS\Extensionmanager\Domain\Model\Extension $extension = null)
     {
         if (is_object($extension) && empty($extensionData['EM_CONF']['constraints'])) {
     public function constructEmConf(array $extensionData, \TYPO3\CMS\Extensionmanager\Domain\Model\Extension $extension = null)
     {
         if (is_object($extension) && empty($extensionData['EM_CONF']['constraints'])) {
-            $extensionData['EM_CONF']['constraints'] = unserialize($extension->getSerializedDependencies());
+            $extensionData['EM_CONF']['constraints'] = unserialize($extension->getSerializedDependencies(), ['allowed_classes' => false]);
         }
         $emConf = $this->fixEmConf($extensionData['EM_CONF']);
         $emConf = var_export($emConf, true);
         }
         $emConf = $this->fixEmConf($extensionData['EM_CONF']);
         $emConf = var_export($emConf, true);
index 5977ea5..4f6946e 100644 (file)
@@ -61,7 +61,7 @@ class ExtensionModelUtility
     public function convertDependenciesToObjects($dependencies)
     {
         $dependenciesObject = new \SplObjectStorage();
     public function convertDependenciesToObjects($dependencies)
     {
         $dependenciesObject = new \SplObjectStorage();
-        $unserializedDependencies = unserialize($dependencies);
+        $unserializedDependencies = unserialize($dependencies, ['allowed_classes' => false]);
         if (!is_array($unserializedDependencies)) {
             return $dependenciesObject;
         }
         if (!is_array($unserializedDependencies)) {
             return $dependenciesObject;
         }
index f9b772e..4e3e325 100644 (file)
@@ -403,7 +403,7 @@ abstract class AbstractExtensionXmlParser extends AbstractXmlParser
     protected function convertDependencies($dependencies)
     {
         $newDependencies = [];
     protected function convertDependencies($dependencies)
     {
         $newDependencies = [];
-        $dependenciesArray = unserialize($dependencies);
+        $dependenciesArray = unserialize($dependencies, ['allowed_classes' => false]);
         if (is_array($dependenciesArray)) {
             foreach ($dependenciesArray as $version) {
                 if (!empty($version['kind']) && !empty($version['extensionKey'])) {
         if (is_array($dependenciesArray)) {
             foreach ($dependenciesArray as $version) {
                 if (!empty($version['kind']) && !empty($version['extensionKey'])) {