Bug #89937
closed
Insecure Deserialization when knowing encryptionKey in Extbase
100%
Description
Back-porting https://review.typo3.org/c/Packages/TYPO3.CMS/+/61223 might be the best way to do it.
However existing application might have use their own way in creating those requests with PHP's serialize - that's why
- for v8 and v8
unserialize(..., [allowed_classes => false])should be used - for earlier version
unserialize(..., [allowed_classes => false])should be used in combination with https://packagist.org/packages/brumann/polyfill-unserialize should be used
Updated by Gerrit Code Review almost 5 years ago
- Status changed from New to Under Review
Patch set 1 for branch 9.5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62619
Updated by Gerrit Code Review almost 5 years ago
Patch set 1 for branch TYPO3_8-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62620
Updated by Gerrit Code Review almost 5 years ago
Patch set 2 for branch 9.5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62619
Updated by Gerrit Code Review almost 5 years ago
Patch set 2 for branch TYPO3_8-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62620
Updated by Gerrit Code Review almost 5 years ago
Patch set 3 for branch TYPO3_8-7 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62620
Updated by Gerrit Code Review almost 5 years ago
Patch set 3 for branch 9.5 of project Teams/Security/TYPO3v4-Core has been pushed to the review server.
It is available at https://review.typo3.org/c/Teams/Security/TYPO3v4-Core/+/62619
Updated by Gerrit Code Review almost 5 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62695
Updated by Gerrit Code Review almost 5 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62702
Updated by Oliver Hader almost 5 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset typo3cms-core:57e4ed35a6e58521a931855e702b2688b3bc3d62.
Updated by Oliver Hader almost 5 years ago
- Related to Bug #89434: Action argument values will get lost on validation error added
Updated by Oliver Hader almost 5 years ago
- Project changed from 1716 to TYPO3 Core
- Category deleted (
OW-A08: Insecure Deserialization) - Target version deleted (
public)
Updated by