Contrib.social

Untrusted serialization, possible gadget chain attack

Open on Drupal.org →
Created on 28 March 2023, over 1 year ago

Problem/Motivation

https://git.drupalcode.org/project/event_scheduler/-/blob/8.x-1.x/src/No... calls unserialize without the allowed classes argument, possible leading to a gadget chain attack

Steps to reproduce

Proposed resolution

Passed allowed classes argument to limit classes that can be created

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Component

Code

Created by

🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @larowlan
  • Comment over 1 year ago
    🇺🇸United States greggles Denver, Colorado, USA

    Adding the "Security" tag which I think has special meaning in the drupal.org packaging system for modules.

    Thanks for finding and filing this, @larowlan.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024