Deserialization of untrusted data #7
Conversation
xgin
force-pushed
the
unserialize-untrusted-data
branch
from
9992f93
to
2682273
Compare
| @@ -811,7 +811,7 @@ public function buildAndSendMessage( | |||
| )); | |||
|
|
|||
| /* Add preferred reply language(s). */ | |||
| if ($lang = @unserialize($prefs->getValue('reply_lang'))) { | |||
| if ($lang = @unserialize($prefs->getValue('reply_lang'), array('allowed_classes' => false))) { | |||
There was a problem hiding this comment.
I could not find a way to set a value of this preference. Is it used available anywhere?
There was a problem hiding this comment.
It's an advanced preference in the "Compose" preference group.
| @@ -577,7 +580,7 @@ protected function _upgradeStationeryToTemplates() | |||
| { | |||
| global $injector, $prefs; | |||
|
|
|||
| $slist = @unserialize($prefs->getValue('stationery')); | |||
| $slist = @unserialize($prefs->getValue('stationery'), array('allowed_classes' => false)); | |||
There was a problem hiding this comment.
Do you have a deprecation policy, when this property can be removed?
There was a problem hiding this comment.
It is already removed, as a settable preference. We don't remove migrations though.
|
The allowed_classes option is added with PHP 7.0, so we can only use this in IMP 7. For IMP 6, we need to find a different solution. Or at least do a version check. |
There was a problem hiding this comment.
This patch appears to be broken as-is. See tribut@2e27df5, tribut@8a81c3b and tribut@2a9f221, maybe more additions are needed.
| $ob = @unserialize($ob, array('allowed_classes' => array( | ||
| 'IMP_Mailbox_List_Virtual', | ||
| 'IMP_Mailbox_List_Pop3', | ||
| 'IMP_Mailbox_List', |
There was a problem hiding this comment.
This needs to include 'IMP_Mailbox'. In our tests, applying this patch without it, broke viewing messages.
| 'IMP_Flag_Imap_Forwarded', | ||
| 'IMP_Flag_Imap_Junk', | ||
| 'IMP_Flag_Imap_NotJunk', | ||
| 'IMP_Flag_Imap_Seen', |
There was a problem hiding this comment.
This needs to include 'IMP_Flag_User' as well as the 'IMP_Flag_System_' classes (not sure about all of them, we've seen errors without IMP_Flag_System_Unseen at least).
I want to resolve ZDI-20-1051 vulnerability (additional details) using json serialization when possible and the list of allowed classes in other cases.