-
To mitigate potential "unsecure unserialize()" issues, the new PHP7 feature to allow only specific classes or to totally deny object creation is rolled out throughout the core in v8. Since a lot of places use unserialize() and some are critical or hard to understand, this is done with a series of patches for single areas. This patch denies object creation at all places where $GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['anExtension'] is unserialized() - the extension manager and ext_conf_template.txt handling never handles objects at this place, so it should be safe to deny objects at all places. Change-Id: Ie96e6fb6837418fd765f883b216b7a9c5af5795d Resolves: #76320 Releases: master Reviewed-on: https://review.typo3.org/48314 Reviewed-by:
Morton Jonuschat <m.jonuschat@mojocode.de> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
7e2ce1d2
