Project

General

Profile

Actions

Bug #71760

closed

Possible insecure unserialize exploitation in UploadExtensionFileController

Added by Valentin Despa over 8 years ago. Updated almost 8 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2015-11-21
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

The class

TYPO3\CMS\Extensionmanager\Controller\UploadExtensionFileController

has the __destruct() (calling removeBackupFolder()) method which will be called after unserialize().

Another example:

TYPO3\CMS\Core\Service\AbstractService

If this class does not need to support for serialization, we should consider implementing the method __wakeup() and throwing an exception.

If the class really need to be serialized, than there should be additional checks done before removing a directory (like checking if the deletion takes place in typo3temp, etc.)

Actions #1

Updated by Valentin Despa over 8 years ago

  • Description updated (diff)
Actions #2

Updated by Stefan Neufeind over 8 years ago

  • Status changed from New to In Progress

Proposal to solve that with __wakeup(), provided by trait that can easily be added to classes we explicitly don't want to be unserializable() at:
https://review.typo3.org/44883

Actions #3

Updated by Helmut Hummel over 8 years ago

  • Subject changed from Insecure unserialize possible with UploadExtensionFileController to Possible insecure unserialize exploitation in UploadExtensionFileController
Actions #4

Updated by Helmut Hummel over 8 years ago

This is not about a currently exploitable security issue, but a precaution in case e.g. extensions introduce a insecure unserialize.

Thus, we can handle that in public.

Actions #5

Updated by Helmut Hummel over 8 years ago

  • Project changed from 1716 to TYPO3 Core
  • Is Regression set to No
Actions #6

Updated by Gerrit Code Review over 8 years ago

  • Status changed from In Progress to Under Review

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44883

Actions #7

Updated by Gerrit Code Review over 8 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44883

Actions #8

Updated by Gerrit Code Review over 8 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44883

Actions #9

Updated by Christian Kuhn almost 8 years ago

  • Status changed from Under Review to Rejected

in v8 with php7 unserialize($myString, false); this is solved in a much more elegant way.

Actions

Also available in: Atom PDF