Skip to content
This repository has been archived by the owner on Oct 17, 2022. It is now read-only.

Security issues in Contao #6695

Closed
pedrib opened this issue Jan 30, 2014 · 6 comments
Closed

Security issues in Contao #6695

pedrib opened this issue Jan 30, 2014 · 6 comments
Labels
defect
Milestone
3.2.5

Comments

@pedrib
Copy link

pedrib commented Jan 30, 2014

Hi,

I have found a few security issues in the latest stable of contao.

Please contact me by email (pedrib@gmail.com) so that I can send the report to you.

To avoid revealing the bug before it's fixed, I will only send the report to people who have committed changed to the repository in the last 2 versions.

Regards,
Pedro
@aschempp
Copy link
Member

Please send it to andreas.schempp@terminal42.ch

leofeyer added a commit that referenced this issue Jan 31, 2014
@leofeyer
Do not process serialized objects in the deserialize() function (see
8c9cb04 
…#6695)

Do not process serialized objects in the `deserialize()` function, so it is not vulnerable to PHP object injection in conjunction with raw POST data. Thanks to Pedro Ribeiro for his input.
@leofeyer
Copy link
Member

@pedrib Thanks a lot for your input. I have removed all redundant deserialize() calls in d67c46c.

@aschempp
Copy link
Member

aschempp commented Feb 3, 2014

@leofeyer looks like you did not consider the fact that people might currently use deserialize() to produce objects??

@aschempp
Copy link
Member

aschempp commented Feb 3, 2014

Also, your currently implementation will not help anything if I wrap an object inside an array...

@leofeyer
Copy link
Member

leofeyer commented Feb 3, 2014

you did not consider the fact that people might currently use deserialize() to produce objects?

Yes, I did. But fixing potential vulnerabilities weights more than backwards compatibility.

leofeyer added a commit that referenced this issue Feb 3, 2014
@leofeyer
Do not pass POST data to the deserialize() function (see #6695)
d67c46c 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
leofeyer added a commit that referenced this issue Feb 3, 2014
@leofeyer
Do not pass POST data to the deserialize() function (see #6695)
7cf23d0 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
leofeyer added a commit that referenced this issue Feb 3, 2014
@leofeyer
Do not pass POST data to the deserialize() function (see #6695)
f939b5b 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
@leofeyer
Copy link
Member

leofeyer commented Feb 3, 2014

I have also back-ported the changes to our old LTS branch in f939b5b.

@discordier discordier mentioned this issue Feb 11, 2014
Closed
leofeyer added a commit that referenced this issue Oct 31, 2014
@leofeyer
Do not pass POST data to the deserialize() function (see #6695)
92cb467 
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect
Projects
None yet
Milestone
3.2.5
Development

No branches or pull requests
3 participants
@aschempp @leofeyer @pedrib