Project

General

Profile

Actions

Epic #76311

closed

Use PHP7 unserialize('daString', false); feature everywhere

Added by Christian Kuhn about 8 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Should have
Category:
Security
Target version:
Start date:
2016-05-27
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Sprint Focus:

Description

master only


Subtasks 3 (0 open3 closed)

Task #76320: unserialize() without objects for extConfClosed2016-05-27

Actions
Task #76323: Obsolete unserialize(serialize())Closed2016-05-27

Actions
Task #76327: unserialize() without objects in impexpClosed2016-05-27

Actions
Actions #1

Updated by Stephan Großberndt about 8 years ago

in order to disallow any class unserialization

Actions #2

Updated by Christian Kuhn about 8 years ago

  • Assignee set to Christian Kuhn
Actions #3

Updated by Christian Kuhn about 8 years ago

unserialize($sFoo, ['allowed_classes' => false]);

Actions #4

Updated by Christian Kuhn about 8 years ago

  • Tracker changed from Task to Epic
Actions #6

Updated by Christian Kuhn over 7 years ago

abandoned patch https://review.typo3.org/#/c/48300/ shows a lot of places that might be tackled in small parts ...

Actions #7

Updated by Riccardo De Contardi over 7 years ago

  • Category set to Security
  • Target version set to 8 LTS
Actions #8

Updated by Benni Mack about 7 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF