[TASK] Use secure deserialization in extension manager
In order to harden the deserialization of scalar and array values in extension manager unserialize() calls are hardened further to disallow object reconstitution. The information is retrieved from the TYPO3 extension repository (TER) where according countermeasures are in place to protect object injections - that's why this change is considered as hardening and not as security issue. Resolves: #85466 Releases: master, 8.7 Change-Id: I65b61d61e08d0c50b27ae9102d7ba4c4518a8788 Reviewed-on: https://review.typo3.org/57458 Reviewed-by:Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
TYPO3com <no-reply@typo3.com> Reviewed-by:
Daniel Goerz <ervaude@gmail.com> Tested-by:
Joerg Boesche <typo3@joergboesche.de> Reviewed-by:
Tymoteusz Motylewski <t.motylewski@gmail.com> Tested-by:
Showing
- typo3/sysext/extensionmanager/Classes/Utility/Connection/TerUtility.php 2 additions, 2 deletions...xtensionmanager/Classes/Utility/Connection/TerUtility.php
- typo3/sysext/extensionmanager/Classes/Utility/EmConfUtility.php 1 addition, 1 deletion...sysext/extensionmanager/Classes/Utility/EmConfUtility.php
- typo3/sysext/extensionmanager/Classes/Utility/ExtensionModelUtility.php 1 addition, 1 deletion...xtensionmanager/Classes/Utility/ExtensionModelUtility.php
- typo3/sysext/extensionmanager/Classes/Utility/Parser/AbstractExtensionXmlParser.php 1 addition, 1 deletion...ger/Classes/Utility/Parser/AbstractExtensionXmlParser.php
Please register or sign in to comment