Showing with 20 additions and 16 deletions.

+1 −1 system/config/constants.php

+8 −0 system/docs/CHANGELOG.md

+3 −15 system/helper/functions.php

+6 −0 system/modules/core/library/Contao/Input.php

+2 −0 system/modules/repository/classes/RepositorySettings.php
diff --git a/system/config/constants.php b/system/config/constants.php
@@ -15,7 +15,7 @@
  * Core version
  */
 define('VERSION', '3.2');
-define('BUILD', '6');
+define('BUILD', '7');
 define('LONG_TERM_SUPPORT', true);
 
 

diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -1,6 +1,14 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.2.7 (2014-02-13)
+--------------------------
+
+### Fixed
+Fix another weakness in the `Input` class and further harden the `deserialize()`
+function. Thanks to Martin Auswöger for his input.
+
+
 Version 3.2.6 (2014-02-12)
 --------------------------
 

diff --git a/system/helper/functions.php b/system/helper/functions.php
@@ -304,22 +304,10 @@ function deserialize($varValue, $blnForceArray=false)
 	}
 
 	// Potentially including an object (see #6724)
-	if (strpos($varValue, 'O:') !== false)
+	if (preg_match('/[OoC]:\+?[0-9]+:"/', $varValue))
 	{
-		$arrMatches = array();
-
-		// Check each match if it is an object (see #6732)
-		if (preg_match_all('/(^|;)O:[0-9]+:"([^"]+)"/', $varValue, $arrMatches))
-		{
-			foreach ($arrMatches[2] as $strMatch)
-			{
-				if ($strMatch != 'stdClass' && class_exists($strMatch))
-				{
-					trigger_error('The deserialize() function does not allow serialized objects', E_USER_WARNING);
-					return $blnForceArray ? array($varValue) : $varValue;
-				}
-			}
-		}
+		trigger_error('The deserialize() function does not allow serialized objects', E_USER_WARNING);
+		return $blnForceArray ? array($varValue) : $varValue;
 	}
 
 	$varUnserialized = @unserialize($varValue);

diff --git a/system/modules/core/library/Contao/Input.php b/system/modules/core/library/Contao/Input.php
@@ -462,6 +462,12 @@ public static function stripTags($varValue, $strAllowedTags='')
 		$varValue = strip_tags($varValue, $strAllowedTags);
 		$varValue = str_replace(array('&lt;!--', '&lt;![', '--&gt;'), array('<!--', '<![', '-->'), $varValue);
 
+		// Recheck for encoded null bytes
+		while (strpos($varValue, '\\0') !== false)
+		{
+			$varValue = str_replace('\\0', '', $varValue);
+		}
+
 		return $varValue;
 	}
 

diff --git a/system/modules/repository/classes/RepositorySettings.php b/system/modules/repository/classes/RepositorySettings.php
@@ -17,6 +17,7 @@
 
 // valid core versions in descending order
 define('REPOSITORY_COREVERSIONS',
+		'30020079,30020079;'.	// 3.2.7 stable
 		'30020069,30020069;'.	// 3.2.6 stable
 		'30020059,30020059;'.	// 3.2.5 stable
 		'30020049,30020049;'.	// 3.2.4 stable
@@ -45,6 +46,7 @@
 		'30000007,30000007;'.	// 3.0.0 RC2
 		'30000006,30000006;'.	// 3.0.0 RC1
 		'30000003,30000003;'.	// 3.0.0 beta1
+		'20110169,20110169;'.	// 2.11.16 stable
 		'20110159,20110159;'.	// 2.11.15 stable
 		'20110149,20110149;'.	// 2.11.14 stable
 		'20110139,20110139;'.	// 2.11.13 stable