From 5c48857fc52e0f40b3170da6595813377ad4fe67 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Wed, 13 May 2020 16:49:09 +0200
Subject: [PATCH] [BUGFIX] Relax constraints on serializing objects

With security advisory TYPO3-CORE-SA-2020-004 new
`BlockSerializationTrait` has been introduced blocking serialization
and deserialization for a couple of classes (see advisory for details).
Since this caused a couple of side-effects for valid use-cases, the
restriction on serialize() is removed - which is fine from a security
point of view.

Resolves: #91387
Releases: master, 9.5
Change-Id: I9a9d415deab80badc3c1517f2e0c0c3336d3d936
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
---
 .../Classes/Security/BlockSerializationTrait.php   | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php b/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php
index f4e39740a341..e4b56c7f26ae 100644
--- a/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php
+++ b/typo3/sysext/core/Classes/Security/BlockSerializationTrait.php
@@ -18,18 +18,14 @@ declare(strict_types=1);
 namespace TYPO3\CMS\Core\Security;
 
 /**
- * Blocks object being using in `serialize()` and `unserialize()` invocations.
+ * Blocks object being using `unserialize()` invocations.
+ *
+ * Initially this trait blocked `serialize()` as well, which caused
+ * a couple of side-effects in user-land code and is not problematic
+ * from a security point of view.
  */
 trait BlockSerializationTrait
 {
-    /**
-     * Deny object serialization.
-     */
-    public function __sleep()
-    {
-        throw new \BadMethodCallException('Cannot serialize ' . __CLASS__, 1588784141);
-    }
-
     /**
      * Deny object deserialization.
      */
-- 
GitLab