Project

General

Profile

Actions

Task #85466

closed

Use secure deserialization in extension manager

Added by Oliver Hader over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Extension Manager
Target version:
-
Start date:
2018-07-03
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
Sprint Focus:

Description

In order to harden the deserialization of scalar and array values in extension manager unserialize() calls are hardened further to disallow object reconstitution. The information is retrieved from the TYPO3 extension repository (TER) where according countermeasures are in place to protect object injections - that's why this change is considered as hardening and not as security issue.

Actions #1

Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57458

Actions #2

Updated by Gerrit Code Review over 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57458

Actions #3

Updated by Gerrit Code Review over 5 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57477

Actions #4

Updated by Oliver Hader over 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #5

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF