[TASK] unserialize() without objects for extConf
To mitigate potential "unsecure unserialize()" issues, the new PHP7 feature to allow only specific classes or to totally deny object creation is rolled out throughout the core in v8. Since a lot of places use unserialize() and some are critical or hard to understand, this is done with a series of patches for single areas. This patch denies object creation at all places where $GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['anExtension'] is unserialized() - the extension manager and ext_conf_template.txt handling never handles objects at this place, so it should be safe to deny objects at all places. Change-Id: Ie96e6fb6837418fd765f883b216b7a9c5af5795d Resolves: #76320 Releases: master Reviewed-on: https://review.typo3.org/48314 Reviewed-by:Morton Jonuschat <m.jonuschat@mojocode.de> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- typo3/sysext/backend/Classes/Controller/BackendController.php 1 addition, 1 deletion...3/sysext/backend/Classes/Controller/BackendController.php
- typo3/sysext/backend/Classes/Controller/LoginController.php 1 addition, 1 deletiontypo3/sysext/backend/Classes/Controller/LoginController.php
- typo3/sysext/compatibility7/Classes/Controller/SearchFormController.php 1 addition, 1 deletion...ompatibility7/Classes/Controller/SearchFormController.php
- typo3/sysext/css_styled_content/Configuration/TCA/Overrides/pages.php 11 additions, 15 deletions.../css_styled_content/Configuration/TCA/Overrides/pages.php
- typo3/sysext/css_styled_content/ext_localconf.php 17 additions, 20 deletionstypo3/sysext/css_styled_content/ext_localconf.php
- typo3/sysext/dbal/Classes/Database/DatabaseConnection.php 1 addition, 1 deletiontypo3/sysext/dbal/Classes/Database/DatabaseConnection.php
- typo3/sysext/extensionmanager/Classes/Utility/ConfigurationUtility.php 2 additions, 1 deletion...extensionmanager/Classes/Utility/ConfigurationUtility.php
- typo3/sysext/extensionmanager/ext_localconf.php 1 addition, 1 deletiontypo3/sysext/extensionmanager/ext_localconf.php
- typo3/sysext/fluid_styled_content/Configuration/TCA/Overrides/pages.php 11 additions, 15 deletions...luid_styled_content/Configuration/TCA/Overrides/pages.php
- typo3/sysext/fluid_styled_content/ext_localconf.php 15 additions, 18 deletionstypo3/sysext/fluid_styled_content/ext_localconf.php
- typo3/sysext/indexed_search/Classes/Controller/AdministrationController.php 1 addition, 1 deletion...ed_search/Classes/Controller/AdministrationController.php
- typo3/sysext/indexed_search/Classes/Controller/SearchController.php 1 addition, 1 deletion...xt/indexed_search/Classes/Controller/SearchController.php
- typo3/sysext/indexed_search/Classes/FileContentParser.php 2 additions, 2 deletionstypo3/sysext/indexed_search/Classes/FileContentParser.php
- typo3/sysext/indexed_search/Classes/Indexer.php 2 additions, 2 deletionstypo3/sysext/indexed_search/Classes/Indexer.php
- typo3/sysext/indexed_search/ext_localconf.php 1 addition, 1 deletiontypo3/sysext/indexed_search/ext_localconf.php
- typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php 0 additions, 38 deletions...all/Classes/Service/SilentConfigurationUpgradeService.php
- typo3/sysext/install/Tests/Unit/Service/SilentConfigurationUpgradeServiceTest.php 1 addition, 136 deletions...ts/Unit/Service/SilentConfigurationUpgradeServiceTest.php
- typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php 1 addition, 1 deletiontypo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
- typo3/sysext/rsaauth/Classes/BackendWarnings.php 1 addition, 1 deletiontypo3/sysext/rsaauth/Classes/BackendWarnings.php
- typo3/sysext/rtehtmlarea/ext_localconf.php 1 addition, 1 deletiontypo3/sysext/rtehtmlarea/ext_localconf.php
Please register or sign in to comment