Showing with 27 additions and 16 deletions.
  1. +8 −0 CHANGELOG.md
  2. +1 −1 system/constants.php
  3. +3 −15 system/functions.php
  4. +6 −0 system/libraries/Input.php
  5. +9 −0 system/modules/rep_base/RepositorySettings.php
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
Contao Open Source CMS Changelog
================================

Version 2.11.16 (2014-02-13)
----------------------------

### Fixed
Fix another weakness in the `Input` class and further harden the `deserialize()`
function. Thanks to Martin Auswöger for his input.


Version 2.11.15 (2014-02-12)
----------------------------

Expand Down
2 changes: 1 addition & 1 deletion system/constants.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
* the web browser reload those resources after a Contao update.
*/
define('VERSION', '2.11');
define('BUILD', '15');
define('BUILD', '16');
define('LONG_TERM_SUPPORT', true);
define('CODEMIRROR', '2.2');
define('DATEPICKER', '2.1.1');
Expand Down
18 changes: 3 additions & 15 deletions system/functions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,22 +390,10 @@ function deserialize($varValue, $blnForceArray=false)
}

// Potentially including an object (see #6724)
if (strpos($varValue, 'O:') !== false)
if (preg_match('/[OoC]:\+?[0-9]+:"/', $varValue))
{
$arrMatches = array();

// Check each match if it is an object (see #6732)
if (preg_match_all('/(^|;)O:[0-9]+:"([^"]+)"/', $varValue, $arrMatches))
{
foreach ($arrMatches[2] as $strMatch)
{
if ($strMatch != 'stdClass' && class_exists($strMatch))
{
trigger_error('The deserialize() function does not allow serialized objects', E_USER_WARNING);
return $blnForceArray ? array($varValue) : $varValue;
}
}
}
trigger_error('The deserialize() function does not allow serialized objects', E_USER_WARNING);
return $blnForceArray ? array($varValue) : $varValue;
}

$varUnserialized = @unserialize($varValue);
Expand Down
6 changes: 6 additions & 0 deletions system/libraries/Input.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,12 @@ protected function stripTags($varValue, $strAllowedTags='')
$varValue = strip_tags($varValue, $strAllowedTags);
$varValue = str_replace(array('&lt;!--', '&lt;![', '--&gt;'), array('<!--', '<![', '-->'), $varValue);

// Recheck for encoded null bytes
while (strpos($varValue, '\\0') !== false)
{
$varValue = str_replace('\\0', '', $varValue);
}

return $varValue;
}

Expand Down
9 changes: 9 additions & 0 deletions system/modules/rep_base/RepositorySettings.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,14 @@

// valid core versions in descending order
define('REPOSITORY_COREVERSIONS',
'30020079,30020079;'. // 3.2.7 stable
'30020069,30020069;'. // 3.2.6 stable
'30020059,30020059;'. // 3.2.5 stable
'30020049,30020049;'. // 3.2.4 stable
'30020039,30020039;'. // 3.2.3 stable
'30020029,30020029;'. // 3.2.2 stable
'30020019,30020019;'. // 3.2.1 stable
'30020009,30020009;'. // 3.2.0 stable
'30020006,30020006;'. // 3.2.0 RC1
'30020004,30020004;'. // 3.2.0 beta2
'30020003,30020003;'. // 3.2.0 beta1
Expand All @@ -62,6 +70,7 @@
'30000009,30000009;'. // 3.0.0 stable
'30000006,30000006;'. // 3.0.0 RC1
'30000003,30000003;'. // 3.0.0 beta1
'20110169,20110169;'. // 2.11.16 stable
'20110159,20110159;'. // 2.11.15 stable
'20110149,20110149;'. // 2.11.14 stable
'20110139,20110139;'. // 2.11.13 stable
Expand Down