[SECURITY] Prevent destructors with side-effects from being unserialized

Deserialization of objects could lead to arbitrary removal of resources as well as sending out message via mail. Resolves: #88573 Resolves: #90316 Releases: master, 9.5 Change-Id: I3f77928203f4929bc715f548fb9bfdc0cd749e93 Security-Bulletin: TYPO3-CORE-SA-2020-004 Security-References: CVE-2020-11066 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64468 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · May 12, 2020 · ab4fec2 · ab4fec2
1 parent 0040b7b
commit ab4fec2
Show file tree

Hide file tree

Showing 12 changed files with 70 additions and 3 deletions.
diff --git a/typo3/sysext/core/Classes/FormProtection/AbstractFormProtection.php b/typo3/sysext/core/Classes/FormProtection/AbstractFormProtection.php
@@ -16,6 +16,7 @@
 namespace TYPO3\CMS\Core\FormProtection;
 
 use TYPO3\CMS\Core\Crypto\Random;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
@@ -27,6 +28,8 @@
  */
 abstract class AbstractFormProtection
 {
+    use BlockSerializationTrait;
+
     /**
      * @var \Closure
      */

diff --git a/typo3/sysext/core/Classes/Locking/FileLockStrategy.php b/typo3/sysext/core/Classes/Locking/FileLockStrategy.php
@@ -19,15 +19,17 @@
 use TYPO3\CMS\Core\Locking\Exception\LockAcquireException;
 use TYPO3\CMS\Core\Locking\Exception\LockAcquireWouldBlockException;
 use TYPO3\CMS\Core\Locking\Exception\LockCreateException;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
  * flock() locking
  */
 class FileLockStrategy implements LockingStrategyInterface
 {
-    const FILE_LOCK_FOLDER = 'lock/';
+    use BlockSerializationTrait;
 
+    const FILE_LOCK_FOLDER = 'lock/';
     const DEFAULT_PRIORITY = 75;
 
     /**

diff --git a/typo3/sysext/core/Classes/Locking/SemaphoreLockStrategy.php b/typo3/sysext/core/Classes/Locking/SemaphoreLockStrategy.php
@@ -18,15 +18,17 @@
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Locking\Exception\LockAcquireException;
 use TYPO3\CMS\Core\Locking\Exception\LockCreateException;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
  * Semaphore locking
  */
 class SemaphoreLockStrategy implements LockingStrategyInterface
 {
-    const FILE_LOCK_FOLDER = 'lock/';
+    use BlockSerializationTrait;
 
+    const FILE_LOCK_FOLDER = 'lock/';
     const DEFAULT_PRIORITY = 25;
 
     /**

diff --git a/typo3/sysext/core/Classes/Locking/SimpleLockStrategy.php b/typo3/sysext/core/Classes/Locking/SimpleLockStrategy.php
@@ -18,15 +18,17 @@
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Locking\Exception\LockAcquireWouldBlockException;
 use TYPO3\CMS\Core\Locking\Exception\LockCreateException;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
  * Simple file locking
  */
 class SimpleLockStrategy implements LockingStrategyInterface
 {
-    const FILE_LOCK_FOLDER = 'lock/';
+    use BlockSerializationTrait;
 
+    const FILE_LOCK_FOLDER = 'lock/';
     const DEFAULT_PRIORITY = 50;
 
     /**

diff --git a/typo3/sysext/core/Classes/Log/Writer/AbstractWriter.php b/typo3/sysext/core/Classes/Log/Writer/AbstractWriter.php
@@ -16,12 +16,15 @@
 namespace TYPO3\CMS\Core\Log\Writer;
 
 use TYPO3\CMS\Core\Log\Exception\InvalidLogWriterConfigurationException;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 
 /**
  * Abstract implementation of a log writer
  */
 abstract class AbstractWriter implements WriterInterface
 {
+    use BlockSerializationTrait;
+
     /**
      * Constructs this log writer
      *

diff --git a/typo3/sysext/core/Classes/Mail/MemorySpool.php b/typo3/sysext/core/Classes/Mail/MemorySpool.php
@@ -23,6 +23,7 @@
 use Symfony\Component\Mailer\SentMessage;
 use Symfony\Component\Mailer\Transport\AbstractTransport;
 use Symfony\Component\Mailer\Transport\TransportInterface;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\SingletonInterface;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
@@ -38,6 +39,7 @@
  */
 class MemorySpool extends AbstractTransport implements SingletonInterface, LoggerAwareInterface, DelayedTransportInterface
 {
+    use BlockSerializationTrait;
     use LoggerAwareTrait;
 
     /**

diff --git a/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php b/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Security;
+
+/**
+ * Blocks object being using in `serialize()` and `unserialize()` invocations.
+ */
+trait BlockSerializationTrait
+{
+    /**
+     * Deny object serialization.
+     */
+    public function __sleep()
+    {
+        throw new \BadMethodCallException('Cannot serialize ' . __CLASS__, 1588784141);
+    }
+
+    /**
+     * Deny object deserialization.
+     */
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__, 1588784142);
+    }
+}
diff --git a/typo3/sysext/core/Classes/Service/AbstractService.php b/typo3/sysext/core/Classes/Service/AbstractService.php
@@ -17,6 +17,7 @@
 
 use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerAwareTrait;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\TimeTracker\TimeTracker;
 use TYPO3\CMS\Core\Utility\CommandUtility;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
@@ -27,6 +28,7 @@
  */
 abstract class AbstractService implements LoggerAwareInterface
 {
+    use BlockSerializationTrait;
     use LoggerAwareTrait;
 
     // General error - something went wrong

diff --git a/typo3/sysext/extbase/Classes/Reflection/ReflectionService.php b/typo3/sysext/extbase/Classes/Reflection/ReflectionService.php
@@ -18,6 +18,7 @@
 use TYPO3\CMS\Core\Cache\CacheManager;
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Information\Typo3Version;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\SingletonInterface;
 use TYPO3\CMS\Extbase\Reflection\Exception\UnknownClassException;
 
@@ -27,6 +28,8 @@
  */
 class ReflectionService implements SingletonInterface
 {
+    use BlockSerializationTrait;
+
     /**
      * @var string
      */

diff --git a/typo3/sysext/extensionmanager/Classes/Controller/UploadExtensionFileController.php b/typo3/sysext/extensionmanager/Classes/Controller/UploadExtensionFileController.php
@@ -18,6 +18,7 @@
 use TYPO3\CMS\Core\Configuration\ExtensionConfiguration;
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Messaging\FlashMessage;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Extbase\Mvc\Exception\StopActionException;
 use TYPO3\CMS\Extensionmanager\Domain\Repository\ExtensionRepository;
@@ -34,6 +35,8 @@
  */
 class UploadExtensionFileController extends AbstractController
 {
+    use BlockSerializationTrait;
+
     /**
      * @var ExtensionRepository
      */

diff --git a/typo3/sysext/install/Classes/Service/Session/FileSessionHandler.php b/typo3/sysext/install/Classes/Service/Session/FileSessionHandler.php
@@ -17,6 +17,7 @@
 
 namespace TYPO3\CMS\Install\Service\Session;
 
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Install\Service\Exception;
 
@@ -26,6 +27,8 @@
  */
 class FileSessionHandler implements \SessionHandlerInterface
 {
+    use BlockSerializationTrait;
+
     /**
      * The path to our var/session/ folder (where we can write our sessions). Set in the
      * constructor.

diff --git a/typo3/sysext/install/Classes/Service/SessionService.php b/typo3/sysext/install/Classes/Service/SessionService.php
@@ -19,6 +19,7 @@
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Http\CookieHeaderTrait;
 use TYPO3\CMS\Core\Messaging\FlashMessage;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
 use TYPO3\CMS\Core\SingletonInterface;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Install\Exception;
@@ -30,6 +31,7 @@
  */
 class SessionService implements SingletonInterface
 {
+    use BlockSerializationTrait;
     use CookieHeaderTrait;
 
     /**