[SECURITY] Disallow insecure deserialization for l18n_diffsource

Serialized values in l18n_diffsource are vulnerable to insecure deserialization when being invoked in FormEngine or DataHandler. Resolves: #88323 Releases: master, 9.5, 8.7 Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63 Security-Bulletin: TYPO3-CORE-SA-2019-020 Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3-CMS · Jun 25, 2019 · ea45392 · ea45392
1 parent 6ddc919
commit ea45392
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/Classes/DataHandling/DataHandler.php b/Classes/DataHandling/DataHandler.php
@@ -1335,7 +1335,10 @@ public function fillInFieldArray($table, $id, $fieldArray, $incomingFieldArray,
         ) {
             $originalLanguageRecord = $this->recordInfo($table, $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigPointerField']], '*');
             BackendUtility::workspaceOL($table, $originalLanguageRecord);
-            $originalLanguage_diffStorage = unserialize($currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']]);
+            $originalLanguage_diffStorage = unserialize(
+                $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']],
+                ['allowed_classes' => false]
+            );
         }
 
         $this->checkValue_currentRecord = $checkValueRecord;