[BUGFIX] Relax constraints on serializing objects

With security advisory TYPO3-CORE-SA-2020-004 new `BlockSerializationTrait` has been introduced blocking serialization and deserialization for a couple of classes (see advisory for details). Since this caused a couple of side-effects for valid use-cases, the restriction on serialize() is removed - which is fine from a security point of view. Resolves: #91387 Releases: master, 9.5 Change-Id: I9a9d415deab80badc3c1517f2e0c0c3336d3d936 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Markus Klein <markus.klein@typo3.org> Tested-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Oliver Bartsch <bo@cedev.de> Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Markus Klein <markus.klein@typo3.org> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

[BUGFIX] Relax constraints on serializing objects
With security advisory TYPO3-CORE-SA-2020-004 new `BlockSerializationTrait` has been introduced blocking serialization and deserialization for a couple of classes (see advisory for details). Since this caused a couple of side-effects for valid use-cases, the restriction on serialize() is removed - which is fine from a security point of view. Resolves: #91387 Releases: master, 9.5 Change-Id: I9a9d415deab80badc3c1517f2e0c0c3336d3d936 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Markus Klein <markus.klein@typo3.org> Tested-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Oliver Bartsch <bo@cedev.de> Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Markus Klein <markus.klein@typo3.org> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
5c48857f · Oliver Hader · Andreas Fernandez · 45d2a426 · 5c48857f
Commit 5c48857f authored 4 years ago by Oliver Hader Committed by Andreas Fernandez 4 years ago
--- a/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php
+++ b/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php
@@ -18,18 +18,14 @@ declare(strict_types=1);
 namespace TYPO3\CMS\Core\Security;

 /**
- * Blocks object being using in `serialize()` and `unserialize()` invocations.
+ * Blocks object being using `unserialize()` invocations.
+ *
+ * Initially this trait blocked `serialize()` as well, which caused
+ * a couple of side-effects in user-land code and is not problematic
+ * from a security point of view.
 */
 trait BlockSerializationTrait
 {
-    /**
-     * Deny object serialization.
-     */
-    public function __sleep()
-    {
-        throw new \BadMethodCallException('Cannot serialize ' . __CLASS__, 1588784141);
-    }
-
    /**
     * Deny object deserialization.
     */