fix(security): restrict unserialize allowed_classes (ZDI-20-1051)

ralflang · ralflang · commit 066b603603c8 · 2026-05-27T13:22:45.000+02:00
Follow-up to #7 Allow only these classes when deserializing: - msgflags: IMP_Flag_User, IMP_Flag_Imap_*, IMP_Flag_System_* - filter: IMP_Search_Filter, IMP_Search_Element_* - vfolder: IMP_Search_Vfolder, IMP_Search_Vfolder_Vinbox, IMP_Search_Vfolder_Vtrash, IMP_Search_Element_* - remote: IMP_Remote_Account - mailbox list cache: IMP_Mailbox_List, IMP_Mailbox_List_Virtual, IMP_Mailbox_List_Pop3 Deserialization restricted to data-only (no class support) for: reply_lang, expanded_folders, nav_poll, stationery
diff --git a/lib/Compose.php b/lib/Compose.php
@@ -821,7 +821,7 @@ public function buildAndSendMessage(
         ));
 
         /* Add preferred reply language(s). */
-        if ($lang = @unserialize($prefs->getValue('reply_lang'))) {
+        if ($lang = @unserialize($prefs->getValue('reply_lang'), ['allowed_classes' => false])) {
             $headers->addHeader('Accept-Language', implode(',', $lang));
         }
 
diff --git a/lib/Factory/MailboxList.php b/lib/Factory/MailboxList.php
@@ -56,7 +56,11 @@ public function create($mailbox)
             $mailbox = IMP_Mailbox::get($mailbox);
 
             if ($ob = $this->_getCache($mailbox)->get($key)) {
-                $ob = @unserialize($ob);
+                $ob = @unserialize($ob, ['allowed_classes' => [
+                    'IMP_Mailbox_List',
+                    'IMP_Mailbox_List_Virtual',
+                    'IMP_Mailbox_List_Pop3',
+                ]]);
             }
 
             if (!$ob) {
diff --git a/lib/Flags.php b/lib/Flags.php
@@ -72,7 +72,25 @@ public function __construct()
         }
 
         if ($f_list = $GLOBALS['prefs']->getValue('msgflags')) {
-            $f_list = @unserialize($f_list);
+            $f_list = @unserialize($f_list, ['allowed_classes' => [
+                'IMP_Flag_User',
+                'IMP_Flag_Imap_Answered',
+                'IMP_Flag_Imap_Deleted',
+                'IMP_Flag_Imap_Draft',
+                'IMP_Flag_Imap_Flagged',
+                'IMP_Flag_Imap_Forwarded',
+                'IMP_Flag_Imap_Junk',
+                'IMP_Flag_Imap_NotJunk',
+                'IMP_Flag_Imap_Seen',
+                'IMP_Flag_System_Attachment',
+                'IMP_Flag_System_Encrypted',
+                'IMP_Flag_System_HighPriority',
+                'IMP_Flag_System_List',
+                'IMP_Flag_System_LowPriority',
+                'IMP_Flag_System_Personal',
+                'IMP_Flag_System_Signed',
+                'IMP_Flag_System_Unseen',
+            ]]);
             if (is_array($f_list)) {
                 foreach ($f_list as $val) {
                     $this->_userflags[$val->id] = $val;
diff --git a/lib/Ftree/Prefs/Expanded.php b/lib/Ftree/Prefs/Expanded.php
@@ -42,7 +42,7 @@ public function __construct()
     {
         global $prefs;
 
-        if (($folders = @unserialize($prefs->getValue('expanded_folders')))
+        if (($folders = @unserialize($prefs->getValue('expanded_folders'), ['allowed_classes' => false]))
             && is_array($folders)) {
             $this->_data = $folders;
         }
diff --git a/lib/Ftree/Prefs/Poll.php b/lib/Ftree/Prefs/Poll.php
@@ -48,7 +48,7 @@ public function __construct(IMP_Ftree $ftree)
             $this->_data = ['INBOX' => 1];
 
             /* Add the list of polled mailboxes from the prefs. */
-            if ($nav_poll = @unserialize($prefs->getValue('nav_poll'))) {
+            if ($nav_poll = @unserialize($prefs->getValue('nav_poll'), ['allowed_classes' => false])) {
                 $this->_data += $nav_poll;
             }
 
diff --git a/lib/LoginTasks/SystemTask/Upgrade.php b/lib/LoginTasks/SystemTask/Upgrade.php
@@ -345,7 +345,24 @@ protected function _upgradeVirtualFolders()
 
         $vfolders = $prefs->getValue('vfolder');
         if (!empty($vfolders)) {
-            $vfolders = @unserialize($vfolders);
+            $vfolders = @unserialize($vfolders, ['allowed_classes' => [
+                'IMP_Search_Vfolder_Vinbox',
+                'IMP_Search_Vfolder_Vtrash',
+                'IMP_Search_Element_Attachment',
+                'IMP_Search_Element_Autogenerated',
+                'IMP_Search_Element_Bulk',
+                'IMP_Search_Element_Contacts',
+                'IMP_Search_Element_Daterange',
+                'IMP_Search_Element_Flag',
+                'IMP_Search_Element_Header',
+                'IMP_Search_Element_Mailinglist',
+                'IMP_Search_Element_Or',
+                'IMP_Search_Element_Personal',
+                'IMP_Search_Element_Recipient',
+                'IMP_Search_Element_Size',
+                'IMP_Search_Element_Text',
+                'IMP_Search_Element_Within',
+            ]]);
         }
 
         if (empty($vfolders) || !is_array($vfolders)) {
@@ -578,7 +595,7 @@ protected function _upgradeStationeryToTemplates()
     {
         global $injector, $prefs;
 
-        $slist = @unserialize($prefs->getValue('stationery'));
+        $slist = @unserialize($prefs->getValue('stationery'), ['allowed_classes' => false]);
         if (is_array($slist)) {
             /* Old entry format:
              * 'c' => (string) Content
diff --git a/lib/Remote.php b/lib/Remote.php
@@ -38,7 +38,10 @@ class IMP_Remote implements ArrayAccess, IteratorAggregate
      */
     public function __construct()
     {
-        $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote')) ?: [];
+        $this->_accounts = @unserialize(
+            $GLOBALS['prefs']->getValue('remote'),
+            ['allowed_classes' => ['IMP_Remote_Account']]
+        ) ?: [];
     }
 
     /**
diff --git a/lib/Search.php b/lib/Search.php
@@ -207,7 +207,23 @@ protected function _getFilters()
         }
 
         if ($f_list = $GLOBALS['prefs']->getValue('filter')) {
-            $f_list = @unserialize($f_list);
+            $f_list = @unserialize($f_list, ['allowed_classes' => [
+                'IMP_Search_Filter',
+                'IMP_Search_Element_Attachment',
+                'IMP_Search_Element_Autogenerated',
+                'IMP_Search_Element_Bulk',
+                'IMP_Search_Element_Contacts',
+                'IMP_Search_Element_Daterange',
+                'IMP_Search_Element_Flag',
+                'IMP_Search_Element_Header',
+                'IMP_Search_Element_Mailinglist',
+                'IMP_Search_Element_Or',
+                'IMP_Search_Element_Personal',
+                'IMP_Search_Element_Recipient',
+                'IMP_Search_Element_Size',
+                'IMP_Search_Element_Text',
+                'IMP_Search_Element_Within',
+            ]]);
             if (is_array($f_list)) {
                 foreach ($f_list as $val) {
                     if ($val instanceof IMP_Search_Filter) {
@@ -297,7 +313,25 @@ protected function _getVFolders()
         }
 
         if ($pref_vf = $GLOBALS['prefs']->getValue('vfolder')) {
-            $pref_vf = @unserialize($pref_vf);
+            $pref_vf = @unserialize($pref_vf, ['allowed_classes' => [
+                'IMP_Search_Vfolder',
+                'IMP_Search_Vfolder_Vinbox',
+                'IMP_Search_Vfolder_Vtrash',
+                'IMP_Search_Element_Attachment',
+                'IMP_Search_Element_Autogenerated',
+                'IMP_Search_Element_Bulk',
+                'IMP_Search_Element_Contacts',
+                'IMP_Search_Element_Daterange',
+                'IMP_Search_Element_Flag',
+                'IMP_Search_Element_Header',
+                'IMP_Search_Element_Mailinglist',
+                'IMP_Search_Element_Or',
+                'IMP_Search_Element_Personal',
+                'IMP_Search_Element_Recipient',
+                'IMP_Search_Element_Size',
+                'IMP_Search_Element_Text',
+                'IMP_Search_Element_Within',
+            ]]);
             if (is_array($pref_vf)) {
                 foreach ($pref_vf as $val) {
                     if ($val instanceof IMP_Search_Vfolder) {

Original file line number	Diff line number	Diff line change
`@@ -821,7 +821,7 @@ public function buildAndSendMessage(`
`821`	`821`	`));`
`822`	`822`
`823`	`823`	`/* Add preferred reply language(s). */`
`824`		`- if ($lang = @unserialize($prefs->getValue('reply_lang'))) {`
	`824`	`+ if ($lang = @unserialize($prefs->getValue('reply_lang'), ['allowed_classes' => false])) {`
`825`	`825`	`$headers->addHeader('Accept-Language', implode(',', $lang));`
`826`	`826`	`}`
`827`	`827`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ public function __construct()`
`42`	`42`	`{`
`43`	`43`	`global $prefs;`
`44`	`44`
`45`		`- if (($folders = @unserialize($prefs->getValue('expanded_folders')))`
	`45`	`+ if (($folders = @unserialize($prefs->getValue('expanded_folders'), ['allowed_classes' => false]))`
`46`	`46`	`&& is_array($folders)) {`
`47`	`47`	`$this->_data = $folders;`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ public function __construct(IMP_Ftree $ftree)`
`48`	`48`	`$this->_data = ['INBOX' => 1];`
`49`	`49`
`50`	`50`	`/* Add the list of polled mailboxes from the prefs. */`
`51`		`- if ($nav_poll = @unserialize($prefs->getValue('nav_poll'))) {`
	`51`	`+ if ($nav_poll = @unserialize($prefs->getValue('nav_poll'), ['allowed_classes' => false])) {`
`52`	`52`	`$this->_data += $nav_poll;`
`53`	`53`	`}`
`54`	`54`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,10 @@ class IMP_Remote implements ArrayAccess, IteratorAggregate`
`38`	`38`	`*/`
`39`	`39`	`public function __construct()`
`40`	`40`	`{`
`41`		`- $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote')) ?: [];`
	`41`	`+ $this->_accounts = @unserialize(`
	`42`	`+ $GLOBALS['prefs']->getValue('remote'),`
	`43`	`+ ['allowed_classes' => ['IMP_Remote_Account']]`
	`44`	`+ ) ?: [];`
`42`	`45`	`}`
`43`	`46`
`44`	`47`	`/**`