Hotfix: Add type checking for deserialized data in sfParameterHolder …

…and sfNamespacedParameterHolder (CVE-2024-28861)
FriendsOfSymfony1 · Mar 19, 2024 · 0bd9d59 · 0bd9d59
1 parent 50a898b
commit 0bd9d59
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/lib/util/sfNamespacedParameterHolder.class.php b/lib/util/sfNamespacedParameterHolder.class.php
@@ -53,11 +53,19 @@ public function __serialize()
 
     /**
      * Unserializes a sfParameterHolder instance for PHP 7.4+.
+     * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
      *
      * @param array $data
      */
     public function __unserialize($data)
     {
+        if (!is_array($data) || 2 !== \count($data)) {
+            $this->default_namespace = null;
+            $this->parameters = [];
+
+            return;
+        }
+
         $this->default_namespace = $data[0];
         $this->parameters = $data[1];
     }

diff --git a/lib/util/sfParameterHolder.class.php b/lib/util/sfParameterHolder.class.php
@@ -41,11 +41,18 @@ public function __serialize()
 
     /**
      * Unserializes a sfParameterHolder instance for PHP 7.4+.
+     * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
      *
      * @param array $data
      */
     public function __unserialize($data)
     {
+        if (!is_array($data)) {
+            $this->parameters = [];
+
+            return;
+        }
+
         $this->parameters = $data;
     }