unserialize call without allowed_classes

Open on Drupal.org →

Created on 1 March 2023, about 2 years ago

Advisory: This is a security hardening task, not a security issue per @cilefen, as there are no specific steps to hack, but even if there were steps, this is pre-release and not covered from the security team. Field settings are admin-only too.

Problem/Motivation

unserialize called without allowed_classes

Steps to reproduce

Found this auditing the code, not concrete steps to reproduce or exploit.

Proposed resolution

Add [allowed_classes=> FALSE] as second argument

Remaining tasks

Patch

User interface changes

None.

API changes

None.

Data model changes

None.

📌 Task

Status

Needs review

Version

1.0

Component

Code

Created by

🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @penyaskito
Status changed to Needs review about 2 years ago5:28pm 1 March 2023
Comment about 2 years ago →
🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺
Attached patch.
Comment about 2 years ago →
🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺
This makes tests pass, but not sure if we can specify which classes are allowed, as block field selection might differ. In that case we might want to add a phpcs:ignore and leave the code as it is if it doesn't suppose a security risk.
Comment about 2 years ago →
🇪🇸Spain penyaskito Seville 💃, Spain 🇪🇸, UTC+2 🇪🇺

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024