This repository has been archived by the owner on Oct 17, 2022. It is now read-only.
Security issues in Contao #6695
Comments
Please send it to andreas.schempp@terminal42.ch |
leofeyer
added a commit
that referenced
this issue
Jan 31, 2014
…#6695) Do not process serialized objects in the `deserialize()` function, so it is not vulnerable to PHP object injection in conjunction with raw POST data. Thanks to Pedro Ribeiro for his input.
@leofeyer looks like you did not consider the fact that people might currently use |
Also, your currently implementation will not help anything if I wrap an object inside an array... |
Yes, I did. But fixing potential vulnerabilities weights more than backwards compatibility. |
leofeyer
added a commit
that referenced
this issue
Feb 3, 2014
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
leofeyer
added a commit
that referenced
this issue
Feb 3, 2014
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
leofeyer
added a commit
that referenced
this issue
Feb 3, 2014
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
I have also back-ported the changes to our old LTS branch in f939b5b. |
leofeyer
added a commit
that referenced
this issue
Oct 31, 2014
Do not pass POST data to the `deserialize()` function, so it is not vulnerable to PHP object injection. Thanks to Pedro Ribeiro for his input.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
I have found a few security issues in the latest stable of contao.
Please contact me by email (pedrib@gmail.com) so that I can send the report to you.
To avoid revealing the bug before it's fixed, I will only send the report to people who have committed changed to the repository in the last 2 versions.
Regards,
Pedro
The text was updated successfully, but these errors were encountered: