Merge pull request from GHSA-699q-wcff-g9mj

* Fix unsafe unserialize() * Add changelog and comments on why unserialize() is disabled * Add since tag
yiisoft · Sep 14, 2020 · 2f7fb32 · 2f7fb32
1 parent 55dc14e
commit 2f7fb32
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.38 under development
 ------------------------
 
+- Bug: (CVE-2020-15148): Disable unserialization of `yii\db\BatchQueryResult` to prevent remote code execution in case application calls unserialize() on user input containing specially crafted string (samdark, russtone)
 - Enh #18213: Do not load fixtures with circular dependencies twice instead of throwing an exception (JesseHines0)
 - Bug #18066: Fix `yii\db\Query::create()` wasn't using all info from `withQuery()` (maximkou)
 - Bug #18269: Fix integer safe attribute to work properly in `yii\base\Model` (Ladone)

diff --git a/db/BatchQueryResult.php b/db/BatchQueryResult.php
@@ -223,4 +223,15 @@ private function getDbDriverName()
 
         return null;
     }
+
+    /**
+     * Unserialization is disabled to prevent remote code execution in case application
+     * calls unserialize() on user input containing specially crafted string.
+     * @see CVE-2020-15148
+     * @since 2.0.38
+     */
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__);
+    }
 }