Skip to content
Snippets Groups Projects
Commit 18e3f4f7 authored by Oliver Hader's avatar Oliver Hader Committed by Andreas Fernandez
Browse files

[BUGFIX] Allow arbitrary objects in widget context 

TYPO3-CORE-SA-2020-005 caused side-effects on Fluid AJAX widgets which
unfortunatelly support any class instance to be temporarily stored in
the current user-session. With mentioned change to address an insecure
deserialization vulnerability it was limited to items that could be
JSON-serialized.

This limitation is removed again by switching back to `unserialize()`,
but using an encryption-key-based HMAC signature on the payload.
Due to its architecture there is no better approach available.

This partially reverts commit e4fb92a8.

Resolves: #91382
Releases: master, 9.5
Change-Id: I68cbd15e7df2f536180f174fa63cf27f8a19cfcd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64501


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: default avatarJonas Götze <jonnsn@gmail.com>
Tested-by: default avatarAlexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: default avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: default avatarSusanne Moog <look@susi.dev>
Reviewed-by: default avatarAlexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: default avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: default avatarSusanne Moog <look@susi.dev>
parent 794c2286
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment