Commit d5e7f853 authored by Oliver Hader's avatar Oliver Hader Committed by Frank Nägler
Browse files

[TASK] Harden internal state handling

Internal components using `unserialize` are enforced to disallow
classes in their internal state representation. This is a preparation
for starting with RIPS scanner.

Resolves: #91571
Releases: master, 10.4, 9.5
Change-Id: I3a5026e34a381e79817b46025d81083b2bc5b290
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64779


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Frank Nägler's avatarFrank Nägler <frank.naegler@typo3.org>
Reviewed-by: Frank Nägler's avatarFrank Nägler <frank.naegler@typo3.org>
parent abc757fe
......@@ -429,7 +429,7 @@ class CharsetConverter implements SingletonInterface
// Caching brought parsing time for gb2312 down from 2400 ms to 150 ms. For other charsets we are talking 11 ms down to zero.
$cacheFile = Environment::getVarPath() . '/charset/charset_' . $charset . '.tbl';
if ($cacheFile && @is_file($cacheFile)) {
$this->parsedCharsets[$charset] = unserialize(file_get_contents($cacheFile));
$this->parsedCharsets[$charset] = unserialize(file_get_contents($cacheFile), ['allowed_classes' => false]);
} else {
// Parse conversion table into lines:
$lines = GeneralUtility::trimExplode(LF, file_get_contents($charsetConvTableFile), true);
......@@ -495,7 +495,7 @@ class CharsetConverter implements SingletonInterface
}
// Use cached version if possible
if ($cacheFileASCII && @is_file($cacheFileASCII)) {
$this->toASCII['utf-8'] = unserialize(file_get_contents($cacheFileASCII));
$this->toASCII['utf-8'] = unserialize(file_get_contents($cacheFileASCII), ['allowed_classes' => false]);
return 2;
}
// Process main Unicode data file
......@@ -657,7 +657,7 @@ class CharsetConverter implements SingletonInterface
// Use cached version if possible
$cacheFile = Environment::getVarPath() . '/charset/csascii_' . $charset . '.tbl';
if ($cacheFile && @is_file($cacheFile)) {
$this->toASCII[$charset] = unserialize(file_get_contents($cacheFile));
$this->toASCII[$charset] = unserialize(file_get_contents($cacheFile), ['allowed_classes' => false]);
return 2;
}
// Init UTF-8 conversion for this charset
......
......@@ -89,7 +89,7 @@ class ProcessedFileRepository extends AbstractRepository implements LoggerAwareI
$originalFile = $this->factory->getFileObject((int)$databaseRow['original']);
$originalFile->setStorage($this->factory->getStorageObject($originalFile->getProperty('storage')));
$taskType = $databaseRow['task_type'];
$configuration = unserialize($databaseRow['configuration']);
$configuration = unserialize($databaseRow['configuration'], ['allowed_classes' => false]);
return GeneralUtility::makeInstance(
$this->objectType,
......
......@@ -477,7 +477,7 @@ class TypoScriptParser
}
// unserialize(serialize(...)) may look stupid but is needed because of some reference issues.
// See forge issue #76919 and functional test hasFlakyReferences()
$this->setVal($objStrName, $setup, unserialize(serialize($res)), 1);
$this->setVal($objStrName, $setup, unserialize(serialize($res), ['allowed_classes' => false]), 1);
break;
case '>':
if ($this->syntaxHighLight) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment