/core

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issues in Contao #6695

Closed
pedrib opened this Issue Jan 30, 2014 · 6 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  3.2.5
3 participants
@pedrib @aschempp @leofeyer
@pedrib

pedrib commented Jan 30, 2014

Hi,

I have found a few security issues in the latest stable of contao.

Please contact me by email (pedrib@gmail.com) so that I can send the report to you.

To avoid revealing the bug before it's fixed, I will only send the report to people who have committed changed to the repository in the last 2 versions.

Regards,
Pedro
@aschempp

This comment has been minimized.

Sign in to view
Contributor

aschempp commented Jan 30, 2014

Please send it to andreas.schempp@terminal42.ch

leofeyer added a commit that referenced this issue Jan 31, 2014

@leofeyer
Do not process serialized objects in the `deserialize()` function (see 
…#6695)

Do not process serialized objects in the `deserialize()` function, so it is not vulnerable to PHP object injection in conjunction with raw POST data. Thanks to Pedro Ribeiro for his input.
8c9cb04
@leofeyer

This comment has been minimized.

Sign in to view
Member

leofeyer commented Jan 31, 2014

@pedrib Thanks a lot for your input. I have removed all redundant deserialize() calls in d67c46c.

@leofeyer leofeyer closed this Jan 31, 2014

@aschempp

This comment has been minimized.

Sign in to view
Contributor

aschempp commented Feb 3, 2014

@leofeyer looks like you did not consider the fact that people might currently use deserialize() to produce objects??
@aschempp

This comment has been minimized.

Sign in to view
Contributor

aschempp commented Feb 3, 2014

Also, your currently implementation will not help anything if I wrap an object inside an array...
@leofeyer

This comment has been minimized.

Sign in to view
Member

leofeyer commented Feb 3, 2014

you did not consider the fact that people might currently use deserialize() to produce objects?

Yes, I did. But fixing potential vulnerabilities weights more than backwards compatibility.

leofeyer added a commit that referenced this issue Feb 3, 2014

@leofeyer
Do not pass POST data to the `deserialize()` function (see #6695) 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
d67c46c

leofeyer added a commit that referenced this issue Feb 3, 2014

@leofeyer
Do not pass POST data to the `deserialize()` function (see #6695) 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
7cf23d0

leofeyer added a commit that referenced this issue Feb 3, 2014

@leofeyer
Do not pass POST data to the `deserialize()` function (see #6695) 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
f939b5b
@leofeyer

This comment has been minimized.

Sign in to view
Member

leofeyer commented Feb 3, 2014

I have also back-ported the changes to our old LTS branch in f939b5b.

discordier added a commit to discordier/core that referenced this issue Feb 11, 2014

@discordier
Harden the core classes agains unserialize() object injections. 
See contao#6695.
We implement a __wakeup() method in all classes having a __destruct()
method that unsets all object properties and throws an exception().
47d80df

@discordier discordier referenced this issue Feb 11, 2014

Closed

Harden the core classes against unserialize() object injections. #6730

leofeyer added a commit that referenced this issue Oct 31, 2014

@leofeyer
Do not pass POST data to the `deserialize()` function (see #6695) 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
92cb467
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment