Task #85466

Use secure deserialization in extension manager

Added by Oliver Hader about 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Extension Manager
Target version:
-
Start date:
2018-07-03
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
Sprint Focus:

Description

In order to harden the deserialization of scalar and array values in extension manager unserialize() calls are hardened further to disallow object reconstitution. The information is retrieved from the TYPO3 extension repository (TER) where according countermeasures are in place to protect object injections - that's why this change is considered as hardening and not as security issue.

Associated revisions

Revision 728ec5b0 (diff)
Added by Oliver Hader about 1 year ago

[TASK] Use secure deserialization in extension manager

In order to harden the deserialization of scalar and array values
in extension manager unserialize() calls are hardened further to
disallow object reconstitution. The information is retrieved from
the TYPO3 extension repository (TER) where according countermeasures
are in place to protect object injections - that's why this change
is considered as hardening and not as security issue.

Resolves: #85466
Releases: master, 8.7
Change-Id: I65b61d61e08d0c50b27ae9102d7ba4c4518a8788
Reviewed-on: https://review.typo3.org/57458
Reviewed-by: Andreas Fernandez <>
Tested-by: Andreas Fernandez <>
Tested-by: TYPO3com <>
Reviewed-by: Daniel Goerz <>
Tested-by: Daniel Goerz <>
Reviewed-by: Joerg Boesche <>
Reviewed-by: Tymoteusz Motylewski <>
Tested-by: Tymoteusz Motylewski <>

Revision 09856b40 (diff)
Added by Oliver Hader about 1 year ago

[TASK] Use secure deserialization in extension manager

In order to harden the deserialization of scalar and array values
in extension manager unserialize() calls are hardened further to
disallow object reconstitution. The information is retrieved from
the TYPO3 extension repository (TER) where according countermeasures
are in place to protect object injections - that's why this change
is considered as hardening and not as security issue.

Resolves: #85466
Releases: master, 8.7
Change-Id: I65b61d61e08d0c50b27ae9102d7ba4c4518a8788
Reviewed-on: https://review.typo3.org/57477
Tested-by: TYPO3com <>
Reviewed-by: Tymoteusz Motylewski <>
Tested-by: Tymoteusz Motylewski <>

History

#1 Updated by Gerrit Code Review about 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57458

#2 Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57458

#3 Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57477

#4 Updated by Oliver Hader about 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#5 Updated by Benni Mack 10 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF