Bug #89937: Insecure Deserialization when knowing encryptionKey in Extbase - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #89937

closed

Insecure Deserialization when knowing encryptionKey in Extbase

Added by Oliver Hader almost 5 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2019-12-13

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Back-porting https://review.typo3.org/c/Packages/TYPO3.CMS/+/61223 might be the best way to do it.
However existing application might have use their own way in creating those requests with PHP's serialize - that's why

for v8 and v8 unserialize(..., [allowed_classes => false]) should be used
for earlier version unserialize(..., [allowed_classes => false]) should be used in combination with https://packagist.org/packages/brumann/polyfill-unserialize should be used

Related issues 1 (0 open — 1 closed)

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

TYPO3 Core

Custom queries

Bug #89937

Insecure Deserialization when knowing encryptionKey in Extbase

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Gerrit Code Review almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Oliver Hader almost 5 years ago

Updated by Benni Mack over 4 years ago