Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-699q-wcff-g9mj
* Fix unsafe unserialize()

* Add changelog and comments on why unserialize() is disabled

* Add since tag
  • Loading branch information
samdark committed Sep 14, 2020
1 parent 52ae0da commit 9abccb9
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
1 change: 1 addition & 0 deletions framework/CHANGELOG.md
Expand Up @@ -4,6 +4,7 @@ Yii Framework 2 Change Log
2.0.38 under development
------------------------

- Bug: (CVE-2020-15148): Disable unserialization of `yii\db\BatchQueryResult` to prevent remote code execution in case application calls unserialize() on user input containing specially crafted string (samdark, russtone)
- Enh #18213: Do not load fixtures with circular dependencies twice instead of throwing an exception (JesseHines0)
- Bug #18066: Fix `yii\db\Query::create()` wasn't using all info from `withQuery()` (maximkou)
- Bug #18269: Fix integer safe attribute to work properly in `yii\base\Model` (Ladone)
Expand Down
11 changes: 11 additions & 0 deletions framework/db/BatchQueryResult.php
Expand Up @@ -223,4 +223,15 @@ private function getDbDriverName()

return null;
}

/**
* Unserialization is disabled to prevent remote code execution in case application
* calls unserialize() on user input containing specially crafted string.
* @see CVE-2020-15148
* @since 2.0.38
*/
public function __wakeup()
{
throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__);
}
}

0 comments on commit 9abccb9

Please sign in to comment.