Skip to content
Permalink
Browse files

Critical security vulnerability

  • Loading branch information...
chrisgraham committed May 14, 2019
1 parent f6c4251 commit b88ad9b3056f12d965dce6056b6f27756a1d489e
@@ -1314,7 +1314,7 @@ public function send_gui($_existing = '')
if (!is_null($csv_data)) {
$hidden->attach(form_input_hidden('csv_data', $csv_data));
secure_serialized_data($csv_data, array());
$_csv_data = unserialize($csv_data);
$_csv_data = unserialize($csv_data, array('allowed_classes' => false));
$num_csv_data = count($_csv_data) - 1;
$send_to_help = do_lang_tempcode('SOME_NEWSLETTER_TARGETS_KNOWN', escape_html(integer_format($num_csv_data)));
}
@@ -505,7 +505,7 @@ function ajax_tree_script()
$_options = serialize(array());
}
secure_serialized_data($_options);
$options = @unserialize($_options);
$options = @unserialize($_options, array('allowed_classes' => false));
if ($options === false) {
warn_exit(do_lang_tempcode('INTERNAL_ERROR'));
}
@@ -410,7 +410,7 @@ function _check_stopforumspam($user_ip, $username = null, $email = null)
secure_serialized_data($_result);
$result = @unserialize($_result);
$result = @unserialize($_result, array('allowed_classes' => false));
if ($result !== false) {
if ($result['success']) {
foreach (array('username', 'email', 'ip') as $criterion) {
@@ -1213,7 +1213,7 @@ protected function _handle_php_command()
}
$_commandr_state_diff = base64_decode($_COOKIE['commandr_state']);
secure_serialized_data($_commandr_state_diff);
$commandr_state_diff = @unserialize($_commandr_state_diff);
$commandr_state_diff = @unserialize($_commandr_state_diff, array('allowed_classes' => false));
if (!is_array($commandr_state_diff)) {
$commandr_state_diff = array();
}
@@ -1227,7 +1227,7 @@ protected function _handle_php_command()
}
$_commandr_state_lang_diff = base64_decode($_COOKIE['commandr_state_lang']);
secure_serialized_data($_commandr_state_lang_diff);
$commandr_state_lang_diff = @unserialize($_commandr_state_lang_diff);
$commandr_state_lang_diff = @unserialize($_commandr_state_lang_diff, array('allowed_classes' => false));
if (!is_array($commandr_state_lang_diff)) {
$commandr_state_lang_diff = array();
}
@@ -1246,7 +1246,7 @@ protected function _handle_php_command()
}
$_commandr_state_code_diff = base64_decode($_COOKIE['commandr_state_code']);
secure_serialized_data($_commandr_state_code_diff);
$commandr_state_code_diff = @unserialize($_commandr_state_code_diff);
$commandr_state_code_diff = @unserialize($_commandr_state_code_diff, array('allowed_classes' => false));
if (!is_array($commandr_state_code_diff)) {
$commandr_state_code_diff = array();
}
@@ -195,7 +195,7 @@ function post_comment_script()
}
$options = isset($_POST['options']) ? $_POST['options'] : (isset($_GET['options']) ? $_GET['options'] : '');
secure_serialized_data($options);
$_options = @unserialize($options);
$_options = @unserialize($options, array('allowed_classes' => false));
if (!is_array($_options)) {
warn_exit(do_lang_tempcode('INTERNAL_ERROR'));
}
@@ -3436,20 +3436,21 @@ function appengine_live_guard()
* Check serialized data for objects, as a security measure.
*
* @param string $data &$data Serialized data
* @param ?mixed $safe_replacement What to substitute if objects are contained (null: substitute null)
* @param ?mixed $safe_replacement What to substitute if objects are contained (null: substitute null)
*/
function secure_serialized_data(&$data, $safe_replacement = null)
{
// Security check, unserialize can result in unchecked magic method invocation on defined objects
// Would be a vulnerability if there's a defined class where such method invocation has dangerous side-effects
$matches = array();
$num_matches = preg_match_all('#(^|;)O:\d+:"([^"]+)"#', $data, $matches);
$num_matches = preg_match_all('#(^|;)O:[\d\+\-\.]+:"([^"]+)"#', $data, $matches);
for ($i = 0; $i < $num_matches; $i++) {
$harsh = true; // Could be turned into a method parameter later, if needed
if ($harsh) {
$bad_methods = array(
'__.*',
'code_to_preexecute',
);
} else {
$bad_methods = array(
@@ -3463,10 +3464,12 @@ function secure_serialized_data(&$data, $safe_replacement = null)
'__set',
'__call',
'__callStatic',
'code_to_preexecute',
);
}
$methods = get_class_methods($matches[2][$i]);
$class_name = $matches[2][$i];
$methods = get_class_methods($class_name);
foreach ($bad_methods as $bad_method) {
foreach ($methods as $method) {
@@ -43,7 +43,7 @@ public function run()
}
secure_serialized_data($serialized_options);
list($topic_id, $num_to_show_limit, $allow_comments, $invisible_if_no_comments, $forum, $reverse, $may_reply, $highlight_by_user, $allow_reviews) = unserialize($serialized_options);
list($topic_id, $num_to_show_limit, $allow_comments, $invisible_if_no_comments, $forum, $reverse, $may_reply, $highlight_by_user, $allow_reviews) = unserialize($serialized_options, array('allowed_classes' => false));
$posts = array_map('intval', explode(',', get_param_string('ids', false, true)));
@@ -106,7 +106,7 @@ function upgrade_script()
$news = http_download_file($fetch_url, null, true, false, 'Composr', null, null, null, null, null, null, null, null, 30.0);
secure_serialized_data($news);
$details = unserialize($news);
$details = unserialize($news, array('allowed_classes' => false));
if ($details[0] != '') {
$l_refer_release_notes = $details[0];
if ($details[2] != '') {
@@ -392,7 +392,7 @@ function try_cookie_login()
secure_serialized_data($the_cookie, array());
$unserialize = @unserialize($the_cookie);
$unserialize = @unserialize($the_cookie, array('allowed_classes' => false));
if (is_array($unserialize)) {
if (array_key_exists($real_member_cookie, $unserialize)) {
@@ -41,7 +41,7 @@ function init__version()
*/
function cms_version_minor()
{
return '0.25';
return '0.26';
}
/**
@@ -3409,9 +3409,10 @@ function unlink($filename, $context = null)
* Creates a PHP value from a stored representation.
*
* @param string $str Serialized string.
* @param ?array $options Extra options (null: none).
* @return ~mixed What was originally serialised (false: bad data given, or actually false was serialized).
*/
function unserialize($str)
function unserialize($str, $options = null)
{
return 0;
}
@@ -253,7 +253,8 @@ private function _request($method, $call_params = NULL, $request_method = 'GET',
throw new VimeoAPIException('API call returned false;', 0);
}
$response = unserialize($response);
secure_serialized_data($response);
$response = unserialize($response, array('allowed_classes' => false));
if ($response->stat == 'ok') {
return $response;

0 comments on commit b88ad9b

Please sign in to comment.
You can’t perform that action at this time.