typo3/sysext/workspaces/Classes/Controller/Remote/ActionHandler.php · e4fb92a85bed8067d45d2c25c4b559642f206248 · typo3 / typo3

[SECURITY] Avoid insecure deserialization of $BE_USER->uc properties · e4fb92a8

ohader authored May 12, 2020 and

ohader committed May 12, 2020

General and unscoped collection of user settings in $BE_USER->uc is
vulnerable to insecure deserialization, triggered by lots of different
consumers invoking `unserialize()`.

Class deserialization is denied by using option
`['allowed_classes' => false]`.

Resolves: #90313
Releases: master, 9.5
Change-Id: Ic969441bcd4e85fcdbbde23f539bfbcb629ffbb4
Security-Bulletin: TYPO3-CORE-SA-2020-005
Security-References: CVE-2020-11067
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64469


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

e4fb92a8