[SECURITY] Disallow insecure deserialization for l18n_diffsource

Serialized values in l18n_diffsource are vulnerable to insecure deserialization when being invoked in FormEngine or DataHandler. Resolves: #88323 Releases: master, 9.5, 8.7 Security-Commit: 3b96ca7d5b35967b4277ed8cd78cdff4e07d709c Security-Bulletin: TYPO3-CORE-SA-2019-020 Change-Id: Iea90b0604a8f44413005c1d4fd5c876c55c61094 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61139 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jun 25, 2019 · 555e0dd2b28f01a2f242dfefc0f344d10de50b2a · 555e0dd
1 parent 802e056
commit 555e0dd2b28f01a2f242dfefc0f344d10de50b2a
Showing with 8 additions and 2 deletions.

+4 −1 typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php

+4 −1 typo3/sysext/core/Classes/DataHandling/DataHandler.php
diff --git a/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php b/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php
@@ -64,7 +64,10 @@ public function addData(array $result)
                     && !empty($result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']])
                 ) {
                     $defaultLanguageKey = $result['tableName'] . ':' . (int)$result['databaseRow']['uid'];
-                    $result['defaultLanguageDiffRow'][$defaultLanguageKey] = unserialize($result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']]);
+                    $result['defaultLanguageDiffRow'][$defaultLanguageKey] = unserialize(
+                        $result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']],
+                        ['allowed_classes' => false]
+                    );
                 }
 
                 // Add language overlays from further localizations if requested

diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -1483,7 +1483,10 @@ public function fillInFieldArray($table, $id, $fieldArray, $incomingFieldArray,
         ) {
             $originalLanguageRecord = $this->recordInfo($table, $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigPointerField']], '*');
             BackendUtility::workspaceOL($table, $originalLanguageRecord);
-            $originalLanguage_diffStorage = unserialize($currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']]);
+            $originalLanguage_diffStorage = unserialize(
+                $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']],
+                ['allowed_classes' => false]
+            );
         }
 
         $this->checkValue_currentRecord = $checkValueRecord;