Contrib.social

unserialize call without allowed_classes

Open on Drupal.org β†’
Created on 1 March 2023, over 1 year ago

Advisory: This is a security hardening task, not a security issue per @cilefen, as there are no specific steps to hack, but even if there were steps, this is pre-release and not covered from the security team. Field settings are admin-only too.

Problem/Motivation

unserialize called without allowed_classes

Steps to reproduce

Found this auditing the code, not concrete steps to reproduce or exploit.

Proposed resolution

Add [allowed_classes=> FALSE] as second argument

Remaining tasks

Patch

User interface changes

None.

API changes

None.

Data model changes

None.

πŸ“Œ Task
Status

Needs review

Version

1.0

Component

Code

Created by

πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @penyaskito
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί

    Attached patch.

  • Comment over 1 year ago β†’
    πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί

    This makes tests pass, but not sure if we can specify which classes are allowed, as block field selection might differ. In that case we might want to add a phpcs:ignore and leave the code as it is if it doesn't suppose a security risk.

  • Comment over 1 year ago β†’
    πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024