[SECURITY] Disallow insecure deserialization for l18n_diffsource

Serialized values in l18n_diffsource are vulnerable to insecure deserialization when being invoked in FormEngine or DataHandler. Resolves: #88323 Releases: master, 9.5, 8.7 Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63 Security-Bulletin: TYPO3-CORE-SA-2019-020 Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jun 25, 2019 · 647aa7a · 647aa7a
1 parent 75cc3d6
commit 647aa7a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php b/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php
@@ -64,7 +64,10 @@ public function addData(array $result)
                     && !empty($result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']])
                 ) {
                     $defaultLanguageKey = $result['tableName'] . ':' . (int)$result['databaseRow']['uid'];
-                    $result['defaultLanguageDiffRow'][$defaultLanguageKey] = unserialize($result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']]);
+                    $result['defaultLanguageDiffRow'][$defaultLanguageKey] = unserialize(
+                        $result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']],
+                        ['allowed_classes' => false]
+                    );
                 }
 
                 // Add language overlays from further localizations if requested

diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -1335,7 +1335,10 @@ public function fillInFieldArray($table, $id, $fieldArray, $incomingFieldArray,
         ) {
             $originalLanguageRecord = $this->recordInfo($table, $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigPointerField']], '*');
             BackendUtility::workspaceOL($table, $originalLanguageRecord);
-            $originalLanguage_diffStorage = unserialize($currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']]);
+            $originalLanguage_diffStorage = unserialize(
+                $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']],
+                ['allowed_classes' => false]
+            );
         }
 
         $this->checkValue_currentRecord = $checkValueRecord;