Skip to content
This repository has been archived by the owner on Nov 3, 2023. It is now read-only.

Commit

Permalink
Do not pass POST data to the deserialize() function (see #6695)
Browse files Browse the repository at this point in the history
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
  • Loading branch information
leofeyer committed Feb 3, 2014
1 parent 98857d1 commit f939b5b
Show file tree
Hide file tree
Showing 13 changed files with 26 additions and 17 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
Contao Open Source CMS Changelog
================================

Version 2.11.14 (2014-02-03)
----------------------------

### Fixed
Do not pass POST data to the `deserialize()` function, so it is not vulnerable
to PHP object injection. Thanks to Pedro Ribeiro for his input (see #6695).


Version 2.11.13 (2013-11-19)
----------------------------

Expand Down
2 changes: 1 addition & 1 deletion contao/install.php
Original file line number Diff line number Diff line change
Expand Up @@ -750,7 +750,7 @@ public function run()
*/
if ($this->Input->post('FORM_SUBMIT') == 'tl_tables')
{
$sql = deserialize($this->Input->post('sql'));
$sql = $this->Input->post('sql');

if (is_array($sql))
{
Expand Down
2 changes: 1 addition & 1 deletion system/constants.php
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
* the web browser reload those resources after a Contao update.
*/
define('VERSION', '2.11');
define('BUILD', '13');
define('BUILD', '14');
define('LONG_TERM_SUPPORT', true);
define('CODEMIRROR', '2.2');
define('DATEPICKER', '2.1.1');
Expand Down
6 changes: 3 additions & 3 deletions system/drivers/DC_Folder.php
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,9 @@ public function __construct($strTable)
// Set IDs and redirect
if ($this->Input->post('FORM_SUBMIT') == 'tl_select')
{
$ids = deserialize($this->Input->post('IDS'));
$ids = $this->Input->post('IDS');

if (!is_array($ids) || empty($ids))
if (empty($ids) || !is_array($ids))
{
$this->reload();
}
Expand Down Expand Up @@ -1002,7 +1002,7 @@ public function editAll()
// Save field selection in session
if ($this->Input->post('FORM_SUBMIT') == $this->strTable.'_all' && $this->Input->get('fields'))
{
$session['CURRENT'][$this->strTable] = deserialize($this->Input->post('all_fields'));
$session['CURRENT'][$this->strTable] = $this->Input->post('all_fields');
$this->Session->setData($session);
}

Expand Down
10 changes: 5 additions & 5 deletions system/drivers/DC_Table.php
Original file line number Diff line number Diff line change
Expand Up @@ -145,15 +145,15 @@ public function __construct($strTable)
// Set IDs and redirect
if ($this->Input->post('FORM_SUBMIT') == 'tl_select')
{
$ids = deserialize($this->Input->post('IDS'));
$ids = $this->Input->post('IDS');

if (!is_array($ids) || empty($ids))
if (empty($ids) || !is_array($ids))
{
$this->reload();
}

$session = $this->Session->getData();
$session['CURRENT']['IDS'] = deserialize($this->Input->post('IDS'));
$session['CURRENT']['IDS'] = $ids;
$this->Session->setData($session);

if (isset($_POST['edit']))
Expand Down Expand Up @@ -1996,7 +1996,7 @@ public function editAll($intId=null, $ajaxId=null)
// Save field selection in session
if ($this->Input->post('FORM_SUBMIT') == $this->strTable.'_all' && $this->Input->get('fields'))
{
$session['CURRENT'][$this->strTable] = deserialize($this->Input->post('all_fields'));
$session['CURRENT'][$this->strTable] = $this->Input->post('all_fields');
$this->Session->setData($session);
}

Expand Down Expand Up @@ -2323,7 +2323,7 @@ public function overrideAll()
// Save field selection in session
if ($this->Input->post('FORM_SUBMIT') == $this->strTable.'_all' && $this->Input->get('fields'))
{
$session['CURRENT'][$this->strTable] = deserialize($this->Input->post('all_fields'));
$session['CURRENT'][$this->strTable] = $this->Input->post('all_fields');
$this->Session->setData($session);
}

Expand Down
2 changes: 1 addition & 1 deletion system/libraries/Widget.php
Original file line number Diff line number Diff line change
Expand Up @@ -548,7 +548,7 @@ protected function addSubmit()
*/
public function validate()
{
$varValue = $this->validator(deserialize($this->getPost($this->strName)));
$varValue = $this->validator($this->getPost($this->strName));

if ($this->hasErrors())
{
Expand Down
2 changes: 1 addition & 1 deletion system/modules/backend/KeyValueWizard.php
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ public function __set($strKey, $varValue)
public function validate()
{
$mandatory = $this->mandatory;
$options = deserialize($this->getPost($this->strName));
$options = $this->getPost($this->strName);

// Check keys only (values can be empty)
if (is_array($options))
Expand Down
2 changes: 1 addition & 1 deletion system/modules/backend/OptionWizard.php
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ class OptionWizard extends Widget
public function validate()
{
$mandatory = $this->mandatory;
$options = deserialize($this->getPost($this->strName));
$options = $this->getPost($this->strName);

// Check labels only (values can be empty)
if (is_array($options))
Expand Down
2 changes: 1 addition & 1 deletion system/modules/backend/PurgeData.php
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ public function run()
// Purge the resources
if ($this->Input->post('FORM_SUBMIT') == 'tl_purge')
{
$tables = deserialize($this->Input->post('tables'));
$tables = $this->Input->post('tables');

if (!is_array($tables))
{
Expand Down
2 changes: 1 addition & 1 deletion system/modules/frontend/FormCheckBox.php
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ public function __get($strKey)
public function validate()
{
$mandatory = $this->mandatory;
$options = deserialize($this->getPost($this->strName));
$options = $this->getPost($this->strName);

// Check if there is at least one value
if ($mandatory && is_array($options))
Expand Down
2 changes: 1 addition & 1 deletion system/modules/frontend/FormSelectMenu.php
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ public function __set($strKey, $varValue)
public function validate()
{
$mandatory = $this->mandatory;
$options = deserialize($this->getPost($this->strName));
$options = $this->getPost($this->strName);

// Check if there is at least one value
if ($mandatory && is_array($options))
Expand Down
1 change: 1 addition & 0 deletions system/modules/rep_base/RepositorySettings.php
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@
'30000009,30000009;'. // 3.0.0 stable
'30000006,30000006;'. // 3.0.0 RC1
'30000003,30000003;'. // 3.0.0 beta1
'20110149,20110149;'. // 2.11.14 stable
'20110139,20110139;'. // 2.11.13 stable
'20110129,20110129;'. // 2.11.12 stable
'20110119,20110119;'. // 2.11.11 stable
Expand Down
2 changes: 1 addition & 1 deletion system/modules/rep_client/RepositoryManager.php
Original file line number Diff line number Diff line change
Expand Up @@ -417,7 +417,7 @@ protected function update()
// return from submit?
if ($this->filterPost('repository_action') == $rep->f_action) {
if (isset($_POST['repository_cancelbutton'])) $this->redirect($rep->homeLink);
$sql = deserialize($this->Input->post('sql'));
$sql = $this->Input->post('sql');
if (is_array($sql)) {
foreach ($sql as $key) {
if (isset($_SESSION['sql_commands'][$key])) {
Expand Down

0 comments on commit f939b5b

Please sign in to comment.