[SECURITY] Avoid insecure deserialization in QueryGenerator & QueryView

Resolves: #89005 Releases: master, 9.5, 8.7 Security-Commit: 82656cf8149d04f31b1441a03415b5e9a067c614 Security-Bulletin: TYPO3-CORE-SA-2019-026 Change-Id: If312a53b24d919439fa70f5df96be383876957a6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62720 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Dec 17, 2019 · fdf9cda · fdf9cda
1 parent 948df21
commit fdf9cda
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/typo3/sysext/core/Classes/Database/QueryGenerator.php b/typo3/sysext/core/Classes/Database/QueryGenerator.php
@@ -1463,7 +1463,7 @@ public function makeSelectorTable($modSettings, $enableList = 'table,fields,quer
                 $this->extFieldLists['queryOrder_SQL'] = implode(',', $reList);
             }
             // Query Generator:
-            $this->procesData($modSettings['queryConfig'] ? unserialize($modSettings['queryConfig']) : '');
+            $this->procesData($modSettings['queryConfig'] ? unserialize($modSettings['queryConfig'], ['allowed_classes' => false]) : '');
             $this->queryConfig = $this->cleanUpQueryConfig($this->queryConfig);
             $this->enableQueryParts = (bool)$modSettings['search_query_smallparts'];
             $codeArr = $this->getFormElements();

diff --git a/typo3/sysext/core/Classes/Database/QueryView.php b/typo3/sysext/core/Classes/Database/QueryView.php
@@ -195,7 +195,7 @@ public function initStoreArray()
         $storeArray = [
             '0' => '[New]'
         ];
-        $savedStoreArray = unserialize($this->settings['storeArray']);
+        $savedStoreArray = unserialize($this->settings['storeArray'], ['allowed_classes' => false]);
         if (is_array($savedStoreArray)) {
             $storeArray = array_merge($storeArray, $savedStoreArray);
         }
@@ -316,7 +316,7 @@ public function loadStoreQueryConfigs($storeQueryConfigs, $storeIndex, $writeArr
     public function procesStoreControl()
     {
         $storeArray = $this->initStoreArray();
-        $storeQueryConfigs = unserialize($this->settings['storeQueryConfigs']);
+        $storeQueryConfigs = unserialize($this->settings['storeQueryConfigs'], ['allowed_classes' => false]);
         $storeControl = GeneralUtility::_GP('storeControl');
         $storeIndex = (int)$storeControl['STORE'];
         $saveStoreArray = 0;
@@ -334,7 +334,7 @@ public function procesStoreControl()
                 } elseif ($storeIndex < 0 && ExtensionManagementUtility::isLoaded('sys_action')) {
                     $actionRecord = BackendUtility::getRecord('sys_action', abs($storeIndex));
                     if (is_array($actionRecord)) {
-                        $dA = unserialize($actionRecord['t2_data']);
+                        $dA = unserialize($actionRecord['t2_data'], ['allowed_classes' => false]);
                         $dbSC = [];
                         if (is_array($dA['qC'])) {
                             $dbSC[0] = $dA['qC'];