-
If the TCEforms wizard "add" is used, the original opened document is closed and a new one is created in which you then add a new element to be related. In order to "store" the originating document which has been edited, the Wizard/AddController and EditDocumentController exchange state data in an URL-parameter. This state-array is serialized in the EditDocumentController and again unserialized in the Wizard/AddController from that GET parameter. Without any checks, every code can be injected to be unserialized here - even though we just need an array with some data. This patch changes serialize/unserialize to json_encode and json_decode. Since the GET parameter only is used in conjunction of these two classes it is save to changes the format how the URL parameters are serialized. Change-Id: I3b41bd0a688f067af2ea4a345ce0264f61bdecf7 Fixes: #54073 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 7148349140f9c8ccb6d847ef58cf1e032711315b Security-Bulletin: TYPO3-CORE-SA-2013-004 Reviewed-on: https://review.typo3.org/26216 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
4d44daa0