From 43db1266b809d135de0b7ee816b5619b1a54d821 Mon Sep 17 00:00:00 2001
From: Christian Kuhn <lolli@schwarzbu.ch>
Date: Fri, 27 May 2016 15:19:42 +0200
Subject: [PATCH] [TASK] unserialize() without objects in impexp
Change-Id: I09d769584dc4389d0d6e0d2ffa3e8e1b0fa571ad
Resolves: #76327
Releases: master
Reviewed-on: https://review.typo3.org/48333
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
---
.../impexp/Classes/Domain/Repository/PresetRepository.php | 2 +-
typo3/sysext/impexp/Classes/Import.php | 4 ++--
typo3/sysext/impexp/Classes/Task/ImportExportTask.php | 2 +-
typo3/sysext/impexp/Classes/View/ExportPageTreeView.php | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php b/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php
index 9229e656e050..bfa3b3da85d9 100644
--- a/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php
+++ b/typo3/sysext/impexp/Classes/Domain/Repository/PresetRepository.php
@@ -123,7 +123,7 @@ class PresetRepository
$preset = $this->getPreset($presetData['select']);
if (is_array($preset)) {
// Update existing
- $inData_temp = unserialize($preset['preset_data']);
+ $inData_temp = unserialize($preset['preset_data'], ['allowed_classes' => false]);
if (is_array($inData_temp)) {
if (isset($presetData['merge'])) {
// Merge records in:
diff --git a/typo3/sysext/impexp/Classes/Import.php b/typo3/sysext/impexp/Classes/Import.php
index ef985cf0fd0e..ce53dd4a04a1 100644
--- a/typo3/sysext/impexp/Classes/Import.php
+++ b/typo3/sysext/impexp/Classes/Import.php
@@ -1749,7 +1749,7 @@ class Import extends ImportExport
return null;
}
}
- return $unserialize ? unserialize($datString) : $datString;
+ return $unserialize ? unserialize($datString, ['allowed_classes' => false]) : $datString;
} else {
$this->error('MD5 check failed (' . $name . ')');
}
@@ -1798,7 +1798,7 @@ class Import extends ImportExport
if ($initStrDat[1]) {
if ($this->compress) {
$datString = gzuncompress($datString);
- return $unserialize ? unserialize($datString) : $datString;
+ return $unserialize ? unserialize($datString, ['allowed_classes' => false]) : $datString;
} else {
$this->error('Content read error: This file requires decompression, but this server does not offer gzcompress()/gzuncompress() functions.');
}
diff --git a/typo3/sysext/impexp/Classes/Task/ImportExportTask.php b/typo3/sysext/impexp/Classes/Task/ImportExportTask.php
index 249aca383acc..ab743f3d6757 100644
--- a/typo3/sysext/impexp/Classes/Task/ImportExportTask.php
+++ b/typo3/sysext/impexp/Classes/Task/ImportExportTask.php
@@ -107,7 +107,7 @@ class ImportExportTask implements TaskInterface
if (is_array($presets) && !empty($presets)) {
$lines = [];
foreach ($presets as $key => $presetCfg) {
- $configuration = unserialize($presetCfg['preset_data']);
+ $configuration = unserialize($presetCfg['preset_data'], ['allowed_classes' => false]);
$title = strlen($presetCfg['title']) ? $presetCfg['title'] : '[' . $presetCfg['uid'] . ']';
$icon = 'EXT:impexp/Resources/Public/Images/export.gif';
$description = array();
diff --git a/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php b/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php
index 96abce9e975c..027baba1aee7 100644
--- a/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php
+++ b/typo3/sysext/impexp/Classes/View/ExportPageTreeView.php
@@ -86,7 +86,7 @@ class ExportPageTreeView extends BrowseTreeView
// Initialize:
$this->init(' AND ' . $this->BE_USER->getPagePermsClause(1) . $clause);
// Get stored tree structure:
- $this->stored = unserialize($this->BE_USER->uc['browseTrees']['browsePages']);
+ $this->stored = unserialize($this->BE_USER->uc['browseTrees']['browsePages'], ['allowed_classes' => false]);
$treeArr = array();
$idx = 0;
// Set first:
--
GitLab