Project

General

Profile

Actions

Bug #91387

closed

Relax constraints on serializing objects

Added by Oliver Hader almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
Start date:
2020-05-13
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

With security advisory https://typo3.org/security/advisory/TYPO3-CORE-SA-2020-004 new BlockSerializationTrait has been introduced blocking serialization and deserialization for a couple of classes (see advisory for details). Since this cause a couple of side-effects for valid use-cases, the restriction on serialize() is removed - which is fine from a security point of view.

Possible use case:
Some system state has to be persisted for documentation purposes, which needs a working serialization. De-serialization is not needed in such cases.
Reported by Gernot Leitgab in https://typo3.slack.com/archives/C0K5MU94J/p1589366052028100


Related issues 4 (2 open2 closed)

Related to TYPO3 Core - Bug #91393: Cachingproblems after recent TYPO3 9.5.17 Closed2020-05-14

Actions
Related to TYPO3 Core - Bug #88613: Replace ObjectStorage & LazyObjectStorage with symfony/collectionNew2019-06-21

Actions
Related to TYPO3 Core - Bug #91404: After update from 9.5.16 to 9.5.17 I get an error 'Cannot serialize'Closed2020-05-14

Actions
Related to TYPO3 Core - Bug #91364: Extbase/CachingFramework - Serialization on 'Closure' is not allowedNew2020-05-12

Actions
Actions

Also available in: Atom PDF