Merge pull request maintaina-com#10 from maintaina-com/fix-upstream-Z…

…DI-20-1051 Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class.
midahp · Oct 22, 2022 · 5f9aef5 · 5f9aef5
2 parents 8d19f07 + a526249
commit 5f9aef5
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/lib/Prefs/Sort.php b/lib/Prefs/Sort.php
@@ -39,9 +39,13 @@ public function __construct()
     {
         global $prefs;
 
-        $sortpref = @unserialize($prefs->getValue(self::SORTPREF));
-        if (is_array($sortpref)) {
-            $this->_sortpref = $sortpref;
+        $serializedPref = $prefs->getValue(self::SORTPREF);
+        // Only unserialize non-empty strings. Disallow yielding any classes.
+        if (!empty($serializedPref && is_string($serializedPref))) {
+            $sortpref = @unserialize($serializedPref, ['allowed_classes' => false]);
+            if (is_array($sortpref)) {
+                $this->_sortpref = $sortpref;
+            }
         }
     }