Commit edd2ef46 authored by Benni Mack's avatar Benni Mack Committed by Christian Kuhn
Browse files

[TASK] Streamline log_data fetching

This change now uses allowed_classes=false on all
calls of unserialize() for sys_log.log_data which
we did not have before.

Resolves: #95731
Releases: master
Change-Id: I1619aeba8f9c40696f15e040bc56007ffe3baf48
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71937


Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Stefan Bürk's avatarStefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk's avatarStefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent bf903bb6
...@@ -8859,7 +8859,7 @@ class DataHandler implements LoggerAwareInterface ...@@ -8859,7 +8859,7 @@ class DataHandler implements LoggerAwareInterface
->execute(); ->execute();
while ($row = $result->fetchAssociative()) { while ($row = $result->fetchAssociative()) {
$log_data = unserialize($row['log_data']) ?: []; $log_data = unserialize($row['log_data'], ['allowed_classes' => false]) ?: [];
$msg = $row['error'] . ': ' . sprintf($row['details'], $log_data[0] ?? '', $log_data[1] ?? '', $log_data[2] ?? '', $log_data[3] ?? '', $log_data[4] ?? ''); $msg = $row['error'] . ': ' . sprintf($row['details'], $log_data[0] ?? '', $log_data[1] ?? '', $log_data[2] ?? '', $log_data[3] ?? '', $log_data[4] ?? '');
/** @var FlashMessage $flashMessage */ /** @var FlashMessage $flashMessage */
$flashMessage = GeneralUtility::makeInstance(FlashMessage::class, $msg, '', $row['error'] === SystemLogErrorClassification::WARNING ? FlashMessage::WARNING : FlashMessage::ERROR, true); $flashMessage = GeneralUtility::makeInstance(FlashMessage::class, $msg, '', $row['error'] === SystemLogErrorClassification::WARNING ? FlashMessage::WARNING : FlashMessage::ERROR, true);
......
...@@ -79,9 +79,9 @@ class ListSysLogCommand extends Command ...@@ -79,9 +79,9 @@ class ListSysLogCommand extends Command
->execute(); ->execute();
while ($row = $rowIterator->fetchAssociative()) { while ($row = $rowIterator->fetchAssociative()) {
$logData = unserialize($row['log_data']); $logData = unserialize($row['log_data'], ['allowed_classes' => false]) ?: [];
$userInformation = $row['userid']; $userInformation = $row['userid'];
if (!empty($logData['originalUser'])) { if (!empty($logData['originalUser'] ?? null)) {
$userInformation .= ' via ' . $logData['originalUser']; $userInformation .= ' via ' . $logData['originalUser'];
} }
......
...@@ -433,7 +433,7 @@ class RemoteServer ...@@ -433,7 +433,7 @@ class RemoteServer
while ($sysLogRow = $result->fetchAssociative()) { while ($sysLogRow = $result->fetchAssociative()) {
$sysLogEntry = []; $sysLogEntry = [];
$data = unserialize($sysLogRow['log_data']); $data = unserialize($sysLogRow['log_data'], ['allowed_classes' => false]);
$beUserRecord = BackendUtility::getRecord('be_users', $sysLogRow['userid']); $beUserRecord = BackendUtility::getRecord('be_users', $sysLogRow['userid']);
$sysLogEntry['stage_title'] = htmlspecialchars($this->stagesService->getStageTitle($data['stage'])); $sysLogEntry['stage_title'] = htmlspecialchars($this->stagesService->getStageTitle($data['stage']));
$sysLogEntry['user_uid'] = (int)$sysLogRow['userid']; $sysLogEntry['user_uid'] = (int)$sysLogRow['userid'];
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment