[SECURITY] Fix insecure unserialize in colorpicker 93/30293/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Thu, 22 May 2014 07:32:58 +0000 (09:32 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 22 May 2014 07:33:02 +0000 (09:33 +0200)
Change-Id: Id3a692cdccb2d3a9ae46ae635ee5c316fa36e371
Fixes: #56458
Releases: 6.1, 6.0, 4.7, 4.5
Security-Commit: 3981e7efef710d680a18f8a5537a7085e540aab3
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30293
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Controller/Wizard/ColorpickerController.php

index 05bbe4d..8983c59 100644 (file)
@@ -138,10 +138,10 @@ class ColorpickerController {
                                $this->imageError = 'ERROR: The image, "' . $this->exampleImg . '", could not be found!';
                        }
                }
-               // Setting field-change functions:
-               $fieldChangeFuncArr = unserialize($this->fieldChangeFunc);
                $update = '';
                if ($this->areFieldChangeFunctionsValid()) {
+                       // Setting field-change functions:
+                       $fieldChangeFuncArr = unserialize($this->fieldChangeFunc);
                        unset($fieldChangeFuncArr['alert']);
                        foreach ($fieldChangeFuncArr as $v) {
                                $update .= '