[TASK] Harden internal state handling

Internal components using `unserialize` are enforced to disallow
classes in their internal state representation. This is a preparation
for starting with RIPS scanner.

Resolves: #91571
Releases: master, 10.4, 9.5
Change-Id: I3a5026e34a381e79817b46025d81083b2bc5b290
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64779
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>

typo3/sysext/core/Classes/Charset/CharsetConverter.php

@@ -429,7 +429,7 @@ protected function initCharset($charset)
                 // Caching brought parsing time for gb2312 down from 2400 ms to 150 ms. For other charsets we are talking 11 ms down to zero.
                 $cacheFile = Environment::getVarPath() . '/charset/charset_' . $charset . '.tbl';
                 if ($cacheFile && @is_file($cacheFile)) {
-                    $this->parsedCharsets[$charset] = unserialize(file_get_contents($cacheFile));
+                    $this->parsedCharsets[$charset] = unserialize(file_get_contents($cacheFile), ['allowed_classes' => false]);
                 } else {
                     // Parse conversion table into lines:
                     $lines = GeneralUtility::trimExplode(LF, file_get_contents($charsetConvTableFile), true);
@@ -495,7 +495,7 @@ protected function initUnicodeData()
         }
         // Use cached version if possible
         if ($cacheFileASCII && @is_file($cacheFileASCII)) {
-            $this->toASCII['utf-8'] = unserialize(file_get_contents($cacheFileASCII));
+            $this->toASCII['utf-8'] = unserialize(file_get_contents($cacheFileASCII), ['allowed_classes' => false]);
             return 2;
         }
         // Process main Unicode data file
@@ -657,7 +657,7 @@ protected function initToASCII($charset)
         // Use cached version if possible
         $cacheFile = Environment::getVarPath() . '/charset/csascii_' . $charset . '.tbl';
         if ($cacheFile && @is_file($cacheFile)) {
-            $this->toASCII[$charset] = unserialize(file_get_contents($cacheFile));
+            $this->toASCII[$charset] = unserialize(file_get_contents($cacheFile), ['allowed_classes' => false]);
             return 2;
         }
         // Init UTF-8 conversion for this charset

typo3/sysext/core/Classes/Resource/ProcessedFileRepository.php

@@ -89,7 +89,7 @@ protected function createDomainObject(array $databaseRow)
         $originalFile = $this->factory->getFileObject((int)$databaseRow['original']);
         $originalFile->setStorage($this->factory->getStorageObject($originalFile->getProperty('storage')));
         $taskType = $databaseRow['task_type'];
-        $configuration = unserialize($databaseRow['configuration']);
+        $configuration = unserialize($databaseRow['configuration'], ['allowed_classes' => false]);
 
         return GeneralUtility::makeInstance(
             $this->objectType,

typo3/sysext/core/Classes/TypoScript/Parser/TypoScriptParser.php

@@ -477,7 +477,7 @@ protected function parseSub(array &$setup)
                                             }
                                             // unserialize(serialize(...)) may look stupid but is needed because of some reference issues.
                                             // See forge issue #76919 and functional test hasFlakyReferences()
-                                            $this->setVal($objStrName, $setup, unserialize(serialize($res)), 1);
+                                            $this->setVal($objStrName, $setup, unserialize(serialize($res), ['allowed_classes' => false]), 1);
                                             break;
                                         case '>':
                                             if ($this->syntaxHighLight) {