[TASK] Do not unserialize stdClass of be_users.uc in extensionmanager

This patch changes the behaviour when saving the backendfilter in extensionmanager list to not allow any class unserialize as TYPO3 Core does not put any classes in the UC and no other place in Core allows to unserialize stdClass for be_users.uc. Resolves: #93617 Releases: master, 10.4 Change-Id: I4b0ba03fb1ea02e97327e11fcd76486d3bd4cda6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68155 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: core-ci <typo3@b13.com> Tested-by: Benni Mack <benni@typo3.org> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
TYPO3 · Mar 1, 2021 · e41c11f · e41c11f
1 parent c1e52b9
commit e41c11f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/typo3/sysext/extensionmanager/Classes/Controller/ListController.php b/typo3/sysext/extensionmanager/Classes/Controller/ListController.php
@@ -339,7 +339,7 @@ protected function saveBackendUserFilter(): void
         $backendUserRecord = BackendUtility::getRecord('be_users', $backendUserId);
 
         if (is_array($backendUserRecord) && isset($backendUserRecord['uc'])) {
-            $uc = unserialize($backendUserRecord['uc'], ['allowed_classes' => [\stdClass::class]]);
+            $uc = unserialize($backendUserRecord['uc'], ['allowed_classes' => false]);
             if (is_array($uc)) {
                 $uc['BackendComponents']['States']['ExtensionManager']['filter'] = $this->backendUserFilter;
                 $connection = GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable('be_users');