Bug #71760
closedPossible insecure unserialize exploitation in UploadExtensionFileController
0%
Description
The class
TYPO3\CMS\Extensionmanager\Controller\UploadExtensionFileController
has the __destruct() (calling removeBackupFolder()) method which will be called after unserialize().
Another example:
TYPO3\CMS\Core\Service\AbstractService
If this class does not need to support for serialization, we should consider implementing the method __wakeup() and throwing an exception.
If the class really need to be serialized, than there should be additional checks done before removing a directory (like checking if the deletion takes place in typo3temp, etc.)
Updated by Stefan Neufeind over 8 years ago
- Status changed from New to In Progress
Proposal to solve that with __wakeup(), provided by trait that can easily be added to classes we explicitly don't want to be unserializable() at:
https://review.typo3.org/44883
Updated by Helmut Hummel over 8 years ago
- Subject changed from Insecure unserialize possible with UploadExtensionFileController to Possible insecure unserialize exploitation in UploadExtensionFileController
Updated by Helmut Hummel over 8 years ago
This is not about a currently exploitable security issue, but a precaution in case e.g. extensions introduce a insecure unserialize.
Thus, we can handle that in public.
Updated by Helmut Hummel over 8 years ago
- Project changed from 1716 to TYPO3 Core
- Is Regression set to No
Updated by Gerrit Code Review over 8 years ago
- Status changed from In Progress to Under Review
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44883
Updated by Gerrit Code Review over 8 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44883
Updated by Gerrit Code Review over 8 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44883
Updated by Christian Kuhn almost 8 years ago
- Status changed from Under Review to Rejected
in v8 with php7 unserialize($myString, false); this is solved in a much more elegant way.