Actions
Bug #91387
closedRelax constraints on serializing objects
Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-13
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:
Description
With security advisory https://typo3.org/security/advisory/TYPO3-CORE-SA-2020-004 new BlockSerializationTrait
has been introduced blocking serialization and deserialization for a couple of classes (see advisory for details). Since this cause a couple of side-effects for valid use-cases, the restriction on serialize()
is removed - which is fine from a security point of view.
Possible use case:
Some system state has to be persisted for documentation purposes, which needs a working serialization. De-serialization is not needed in such cases.
Reported by Gernot Leitgab in https://typo3.slack.com/archives/C0K5MU94J/p1589366052028100
Actions