From 647aa7afa582983cddc547fa106d31e2b1ef34fe Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Tue, 25 Jun 2019 08:42:25 +0200
Subject: [PATCH] [SECURITY] Disallow insecure deserialization for
 l18n_diffsource

Serialized values in l18n_diffsource are vulnerable to insecure
deserialization when being invoked in FormEngine or DataHandler.

Resolves: #88323
Releases: master, 9.5, 8.7
Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63
Security-Bulletin: TYPO3-CORE-SA-2019-020
Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../Classes/Form/FormDataProvider/DatabaseLanguageRows.php   | 5 ++++-
 typo3/sysext/core/Classes/DataHandling/DataHandler.php       | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php b/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php
index 31633dc7dcd8..deee688cdf71 100644
--- a/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php
+++ b/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseLanguageRows.php
@@ -64,7 +64,10 @@ public function addData(array $result)
                     && !empty($result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']])
                 ) {
                     $defaultLanguageKey = $result['tableName'] . ':' . (int)$result['databaseRow']['uid'];
-                    $result['defaultLanguageDiffRow'][$defaultLanguageKey] = unserialize($result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']]);
+                    $result['defaultLanguageDiffRow'][$defaultLanguageKey] = unserialize(
+                        $result['databaseRow'][$result['processedTca']['ctrl']['transOrigDiffSourceField']],
+                        ['allowed_classes' => false]
+                    );
                 }
 
                 // Add language overlays from further localizations if requested
diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
index 5b7429c15b83..bdfc64a6271e 100644
--- a/typo3/sysext/core/Classes/DataHandling/DataHandler.php
+++ b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -1335,7 +1335,10 @@ public function fillInFieldArray($table, $id, $fieldArray, $incomingFieldArray,
         ) {
             $originalLanguageRecord = $this->recordInfo($table, $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigPointerField']], '*');
             BackendUtility::workspaceOL($table, $originalLanguageRecord);
-            $originalLanguage_diffStorage = unserialize($currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']]);
+            $originalLanguage_diffStorage = unserialize(
+                $currentRecord[$GLOBALS['TCA'][$table]['ctrl']['transOrigDiffSourceField']],
+                ['allowed_classes' => false]
+            );
         }
 
         $this->checkValue_currentRecord = $checkValueRecord;