From 7e2ce1d2bb982fee534d6514c30dc4f6b1762120 Mon Sep 17 00:00:00 2001
From: Christian Kuhn <lolli@schwarzbu.ch>
Date: Fri, 27 May 2016 12:22:18 +0200
Subject: [PATCH] [TASK] unserialize() without objects for extConf
To mitigate potential "unsecure unserialize()" issues, the new PHP7
feature to allow only specific classes or to totally deny object
creation is rolled out throughout the core in v8.
Since a lot of places use unserialize() and some are critical or
hard to understand, this is done with a series of patches for
single areas.
This patch denies object creation at all places where
$GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['anExtension'] is
unserialized() - the extension manager and ext_conf_template.txt
handling never handles objects at this place, so it should be
safe to deny objects at all places.
Change-Id: Ie96e6fb6837418fd765f883b216b7a9c5af5795d
Resolves: #76320
Releases: master
Reviewed-on: https://review.typo3.org/48314
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
---
.../Classes/Controller/BackendController.php | 2 +-
.../Classes/Controller/LoginController.php | 2 +-
.../Controller/SearchFormController.php | 2 +-
.../Configuration/TCA/Overrides/pages.php | 26 ++--
.../css_styled_content/ext_localconf.php | 37 +++--
.../Classes/Database/DatabaseConnection.php | 2 +-
.../Classes/Utility/ConfigurationUtility.php | 3 +-
.../sysext/extensionmanager/ext_localconf.php | 2 +-
.../Configuration/TCA/Overrides/pages.php | 26 ++--
.../fluid_styled_content/ext_localconf.php | 33 ++---
.../Controller/AdministrationController.php | 2 +-
.../Classes/Controller/SearchController.php | 2 +-
.../Classes/FileContentParser.php | 4 +-
.../sysext/indexed_search/Classes/Indexer.php | 4 +-
typo3/sysext/indexed_search/ext_localconf.php | 2 +-
.../SilentConfigurationUpgradeService.php | 38 -----
.../SilentConfigurationUpgradeServiceTest.php | 137 +-----------------
.../Classes/Backend/CommandLineBackend.php | 2 +-
.../rsaauth/Classes/BackendWarnings.php | 2 +-
typo3/sysext/rtehtmlarea/ext_localconf.php | 2 +-
.../ExtensionManagerConfigurationUtility.php | 2 +-
.../Utility/SaltedPasswordsUtility.php | 2 +-
typo3/sysext/scheduler/Classes/Scheduler.php | 2 +-
typo3/sysext/scheduler/ext_localconf.php | 2 +-
24 files changed, 76 insertions(+), 262 deletions(-)
diff --git a/typo3/sysext/backend/Classes/Controller/BackendController.php b/typo3/sysext/backend/Classes/Controller/BackendController.php
index 37f9cf00ff0c..f2730773e263 100644
--- a/typo3/sysext/backend/Classes/Controller/BackendController.php
+++ b/typo3/sysext/backend/Classes/Controller/BackendController.php
@@ -263,7 +263,7 @@ class BackendController
$view = $this->getFluidTemplateObject($this->templatePath . 'Backend/Main.html');
// Extension Configuration to find the TYPO3 logo in the left corner
- $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['backend']);
+ $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['backend'], ['allowed_classes' => false]);
$logoPath = '';
if (!empty($extConf['backendLogo'])) {
$customBackendLogo = GeneralUtility::getFileAbsFileName($extConf['backendLogo']);
diff --git a/typo3/sysext/backend/Classes/Controller/LoginController.php b/typo3/sysext/backend/Classes/Controller/LoginController.php
index 4923a2e53747..8172309f81f7 100644
--- a/typo3/sysext/backend/Classes/Controller/LoginController.php
+++ b/typo3/sysext/backend/Classes/Controller/LoginController.php
@@ -159,7 +159,7 @@ class LoginController
$this->checkRedirect();
// Extension Configuration
- $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['backend']);
+ $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['backend'], ['allowed_classes' => false]);
// Background Image
if (!empty($extConf['loginBackgroundImage'])) {
diff --git a/typo3/sysext/compatibility7/Classes/Controller/SearchFormController.php b/typo3/sysext/compatibility7/Classes/Controller/SearchFormController.php
index 5144c08769c6..783cf520f3cf 100755
--- a/typo3/sysext/compatibility7/Classes/Controller/SearchFormController.php
+++ b/typo3/sysext/compatibility7/Classes/Controller/SearchFormController.php
@@ -216,7 +216,7 @@ class SearchFormController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
public function initialize()
{
// Indexer configuration from Extension Manager interface:
- $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search']);
+ $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search'], ['allowed_classes' => false]);
$this->enableMetaphoneSearch = (bool)$this->indexerConfig['enableMetaphoneSearch'];
$this->storeMetaphoneInfoAsWords = !\TYPO3\CMS\IndexedSearch\Utility\IndexedSearchUtility::isTableUsed('index_words');
$this->timeTracker = GeneralUtility::makeInstance(TimeTracker::class);
diff --git a/typo3/sysext/css_styled_content/Configuration/TCA/Overrides/pages.php b/typo3/sysext/css_styled_content/Configuration/TCA/Overrides/pages.php
index 739e7fdf941b..08bfb6848d53 100644
--- a/typo3/sysext/css_styled_content/Configuration/TCA/Overrides/pages.php
+++ b/typo3/sysext/css_styled_content/Configuration/TCA/Overrides/pages.php
@@ -1,18 +1,14 @@
<?php
defined('TYPO3_MODE') or die();
-call_user_func(
- function ($extKey) {
- $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf'][$extKey]);
-
- if (isset($extConf['loadContentElementWizardTsConfig']) && (int)$extConf['loadContentElementWizardTsConfig'] === 0) {
- // Add pageTSconfig
- \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerPageTSConfigFile(
- $extKey,
- 'Configuration/PageTSconfig/NewContentElementWizard.ts',
- 'CSS-based Content Elements'
- );
- }
- },
- 'css_styled_content'
-);
+call_user_func(function () {
+ $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['css_styled_content'], ['allowed_classes' => false]);
+ if (isset($extConf['loadContentElementWizardTsConfig']) && (int)$extConf['loadContentElementWizardTsConfig'] === 0) {
+ // Add pageTSconfig
+ \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerPageTSConfigFile(
+ 'css_styled_content',
+ 'Configuration/PageTSconfig/NewContentElementWizard.ts',
+ 'CSS-based Content Elements'
+ );
+ }
+});
diff --git a/typo3/sysext/css_styled_content/ext_localconf.php b/typo3/sysext/css_styled_content/ext_localconf.php
index 0018f5623d9b..79a5863aac5c 100644
--- a/typo3/sysext/css_styled_content/ext_localconf.php
+++ b/typo3/sysext/css_styled_content/ext_localconf.php
@@ -23,24 +23,21 @@ $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['cms/layout/class.tx_cms_layout.php'][
\TYPO3\CMS\CssStyledContent\Hooks\PageLayoutView\TextPreviewRenderer::class;
if (TYPO3_MODE === 'BE') {
- call_user_func(
- function ($extKey) {
- // Get the extension configuration
- $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf'][$extKey]);
-
- if (!isset($extConf['loadContentElementWizardTsConfig']) || (int)$extConf['loadContentElementWizardTsConfig'] === 1) {
- // Include new content elements to modWizards
- \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addPageTSConfig('<INCLUDE_TYPOSCRIPT: source="FILE:EXT:css_styled_content/Configuration/PageTSconfig/NewContentElementWizard.ts">');
- }
-
- $dispatcher = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class);
- $dispatcher->connect(
- \TYPO3\CMS\Extensionmanager\Controller\ConfigurationController::class,
- 'afterExtensionConfigurationWrite',
- \TYPO3\CMS\CssStyledContent\Hooks\TcaCacheClearing::class,
- 'clearTcaCache'
- );
- },
- $_EXTKEY
- );
+ call_user_func(function () {
+ // Get the extension configuration
+ $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['css_styled_content'], ['allowed_classes' => false]);
+
+ if (!isset($extConf['loadContentElementWizardTsConfig']) || (int)$extConf['loadContentElementWizardTsConfig'] === 1) {
+ // Include new content elements to modWizards
+ \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addPageTSConfig('<INCLUDE_TYPOSCRIPT: source="FILE:EXT:css_styled_content/Configuration/PageTSconfig/NewContentElementWizard.ts">');
+ }
+
+ $dispatcher = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class);
+ $dispatcher->connect(
+ \TYPO3\CMS\Extensionmanager\Controller\ConfigurationController::class,
+ 'afterExtensionConfigurationWrite',
+ \TYPO3\CMS\CssStyledContent\Hooks\TcaCacheClearing::class,
+ 'clearTcaCache'
+ );
+ });
}
diff --git a/typo3/sysext/dbal/Classes/Database/DatabaseConnection.php b/typo3/sysext/dbal/Classes/Database/DatabaseConnection.php
index f1bada85f3b5..0c8b92b516e3 100644
--- a/typo3/sysext/dbal/Classes/Database/DatabaseConnection.php
+++ b/typo3/sysext/dbal/Classes/Database/DatabaseConnection.php
@@ -2564,7 +2564,7 @@ class DatabaseConnection extends \TYPO3\CMS\Core\Database\DatabaseConnection
*/
public function sql_query($query)
{
- $globalConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['dbal']);
+ $globalConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['dbal'], ['allowed_classes' => false]);
if ($globalConfig['sql_query.']['passthrough']) {
return parent::sql_query($query);
}
diff --git a/typo3/sysext/extensionmanager/Classes/Utility/ConfigurationUtility.php b/typo3/sysext/extensionmanager/Classes/Utility/ConfigurationUtility.php
index 0c2e0dfbb9ba..c6ae97aa3631 100644
--- a/typo3/sysext/extensionmanager/Classes/Utility/ConfigurationUtility.php
+++ b/typo3/sysext/extensionmanager/Classes/Utility/ConfigurationUtility.php
@@ -79,7 +79,8 @@ class ConfigurationUtility implements \TYPO3\CMS\Core\SingletonInterface
public function getCurrentConfiguration($extensionKey)
{
$mergedConfiguration = $this->getDefaultConfigurationFromExtConfTemplateAsValuedArray($extensionKey);
- $currentExtensionConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf'][$extensionKey]);
+ // No objects allowed in extConf at all - it is safe to deny that during unserialize()
+ $currentExtensionConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf'][$extensionKey], ['allowed_classes' => false]);
$currentExtensionConfig = is_array($currentExtensionConfig) ? $currentExtensionConfig : array();
$currentExtensionConfig = $this->convertNestedToValuedConfiguration($currentExtensionConfig);
\TYPO3\CMS\Core\Utility\ArrayUtility::mergeRecursiveWithOverrule(
diff --git a/typo3/sysext/extensionmanager/ext_localconf.php b/typo3/sysext/extensionmanager/ext_localconf.php
index f38c6bb4d5b1..8ab4e256e4ef 100644
--- a/typo3/sysext/extensionmanager/ext_localconf.php
+++ b/typo3/sysext/extensionmanager/ext_localconf.php
@@ -2,7 +2,7 @@
defined('TYPO3_MODE') or die();
// Register extension list update task
-$_EXTCONF = unserialize($_EXTCONF);
+$_EXTCONF = unserialize($_EXTCONF, ['allowed_classes' => false]);
if (empty($_EXTCONF['offlineMode'])) {
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['scheduler']['tasks'][\TYPO3\CMS\Extensionmanager\Task\UpdateExtensionListTask::class] = array(
'extension' => $_EXTKEY,
diff --git a/typo3/sysext/fluid_styled_content/Configuration/TCA/Overrides/pages.php b/typo3/sysext/fluid_styled_content/Configuration/TCA/Overrides/pages.php
index 859ea0f700ee..d75617374801 100644
--- a/typo3/sysext/fluid_styled_content/Configuration/TCA/Overrides/pages.php
+++ b/typo3/sysext/fluid_styled_content/Configuration/TCA/Overrides/pages.php
@@ -1,18 +1,14 @@
<?php
defined('TYPO3_MODE') or die();
-call_user_func(
- function ($extKey) {
- $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf'][$extKey]);
-
- if (isset($extConf['loadContentElementWizardTsConfig']) && (int)$extConf['loadContentElementWizardTsConfig'] === 0) {
- // Add pageTSconfig
- \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerPageTSConfigFile(
- $extKey,
- 'Configuration/PageTSconfig/NewContentElementWizard.ts',
- 'Fluid-based Content Elements'
- );
- }
- },
- 'fluid_styled_content'
-);
+call_user_func(function () {
+ $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['fluid_styled_content'], ['allowed_classes' => false]);
+ if (isset($extConf['loadContentElementWizardTsConfig']) && (int)$extConf['loadContentElementWizardTsConfig'] === 0) {
+ // Add pageTSconfig
+ \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::registerPageTSConfigFile(
+ 'fluid_styled_content',
+ 'Configuration/PageTSconfig/NewContentElementWizard.ts',
+ 'Fluid-based Content Elements'
+ );
+ }
+});
diff --git a/typo3/sysext/fluid_styled_content/ext_localconf.php b/typo3/sysext/fluid_styled_content/ext_localconf.php
index 272b8b7e1608..7cca6aed3e9a 100644
--- a/typo3/sysext/fluid_styled_content/ext_localconf.php
+++ b/typo3/sysext/fluid_styled_content/ext_localconf.php
@@ -8,24 +8,21 @@ $GLOBALS['TYPO3_CONF_VARS']['FE']['contentRenderingTemplates'][] = 'fluidstyledc
$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['cms/layout/class.tx_cms_layout.php']['tt_content_drawItem']['textmedia'] = \TYPO3\CMS\FluidStyledContent\Hooks\TextmediaPreviewRenderer::class;
if (TYPO3_MODE === 'BE') {
- call_user_func(
- function ($extKey) {
- // Get the extension configuration
- $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf'][$extKey]);
+ call_user_func(function () {
+ // Get the extension configuration
+ $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['fluid_styled_content'], ['allowed_classes' => false]);
- if (!isset($extConf['loadContentElementWizardTsConfig']) || (int)$extConf['loadContentElementWizardTsConfig'] === 1) {
- // Include new content elements to modWizards
- \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addPageTSConfig('<INCLUDE_TYPOSCRIPT: source="FILE:EXT:fluid_styled_content/Configuration/PageTSconfig/NewContentElementWizard.ts">');
- }
+ if (!isset($extConf['loadContentElementWizardTsConfig']) || (int)$extConf['loadContentElementWizardTsConfig'] === 1) {
+ // Include new content elements to modWizards
+ \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addPageTSConfig('<INCLUDE_TYPOSCRIPT: source="FILE:EXT:fluid_styled_content/Configuration/PageTSconfig/NewContentElementWizard.ts">');
+ }
- $dispatcher = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class);
- $dispatcher->connect(
- \TYPO3\CMS\Extensionmanager\Controller\ConfigurationController::class,
- 'afterExtensionConfigurationWrite',
- \TYPO3\CMS\FluidStyledContent\Hooks\TcaCacheClearing::class,
- 'clearTcaCache'
- );
- },
- $_EXTKEY
- );
+ $dispatcher = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class);
+ $dispatcher->connect(
+ \TYPO3\CMS\Extensionmanager\Controller\ConfigurationController::class,
+ 'afterExtensionConfigurationWrite',
+ \TYPO3\CMS\FluidStyledContent\Hooks\TcaCacheClearing::class,
+ 'clearTcaCache'
+ );
+ });
}
diff --git a/typo3/sysext/indexed_search/Classes/Controller/AdministrationController.php b/typo3/sysext/indexed_search/Classes/Controller/AdministrationController.php
index 033050573e6b..30643ffbc43e 100644
--- a/typo3/sysext/indexed_search/Classes/Controller/AdministrationController.php
+++ b/typo3/sysext/indexed_search/Classes/Controller/AdministrationController.php
@@ -151,7 +151,7 @@ class AdministrationController extends ActionController
public function initializeAction()
{
$this->pageUid = (int)GeneralUtility::_GET('id');
- $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search']);
+ $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search'], ['allowed_classes' => false]);
$this->enableMetaphoneSearch = (bool)$this->indexerConfig['enableMetaphoneSearch'];
$this->indexer = GeneralUtility::makeInstance(Indexer::class);
diff --git a/typo3/sysext/indexed_search/Classes/Controller/SearchController.php b/typo3/sysext/indexed_search/Classes/Controller/SearchController.php
index 2e75a46f6515..671b01036384 100644
--- a/typo3/sysext/indexed_search/Classes/Controller/SearchController.php
+++ b/typo3/sysext/indexed_search/Classes/Controller/SearchController.php
@@ -175,7 +175,7 @@ class SearchController extends \TYPO3\CMS\Extbase\Mvc\Controller\ActionControlle
$searchData = array_merge($this->settings['defaultOptions'], $searchData);
}
// Indexer configuration from Extension Manager interface:
- $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search']);
+ $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search'], ['allowed_classes' => false]);
$this->enableMetaphoneSearch = (bool)$this->indexerConfig['enableMetaphoneSearch'];
$this->initializeExternalParsers();
// If "_sections" is set, this value overrides any existing value.
diff --git a/typo3/sysext/indexed_search/Classes/FileContentParser.php b/typo3/sysext/indexed_search/Classes/FileContentParser.php
index 9cc7be2cc19d..87978ae3ae97 100644
--- a/typo3/sysext/indexed_search/Classes/FileContentParser.php
+++ b/typo3/sysext/indexed_search/Classes/FileContentParser.php
@@ -76,7 +76,7 @@ class FileContentParser
public function initParser($extension)
{
// Then read indexer-config and set if appropriate:
- $indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search']);
+ $indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search'], ['allowed_classes' => false]);
// If windows, apply extension to tool name:
$exe = TYPO3_OS == 'WIN' ? '.exe' : '';
// lg
@@ -288,7 +288,7 @@ class FileContentParser
public function searchTypeMediaTitle($extension)
{
// Read indexer-config
- $indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search']);
+ $indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search'], ['allowed_classes' => false]);
// Ignore extensions
$ignoreExtensions = GeneralUtility::trimExplode(',', strtolower($indexerConfig['ignoreExtensions']), true);
if (in_array($extension, $ignoreExtensions)) {
diff --git a/typo3/sysext/indexed_search/Classes/Indexer.php b/typo3/sysext/indexed_search/Classes/Indexer.php
index e4b09284df78..4749ed2b8d10 100644
--- a/typo3/sysext/indexed_search/Classes/Indexer.php
+++ b/typo3/sysext/indexed_search/Classes/Indexer.php
@@ -251,7 +251,7 @@ class Indexer
public function hook_indexContent(&$pObj)
{
// Indexer configuration from Extension Manager interface:
- $indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search']);
+ $indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search'], ['allowed_classes' => false]);
// Crawler activation:
// Requirements are that the crawler is loaded, a crawler session is running and re-indexing requested as processing instruction:
if (\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('crawler') && $pObj->applicationData['tx_crawler']['running'] && in_array('tx_indexedsearch_reindex', $pObj->applicationData['tx_crawler']['parameters']['procInstructions'])) {
@@ -474,7 +474,7 @@ class Indexer
// Setting phash / phash_grouping which identifies the indexed page based on some of these variables:
$this->setT3Hashes();
// Indexer configuration from Extension Manager interface:
- $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search']);
+ $this->indexerConfig = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['indexed_search'], ['allowed_classes' => false]);
$this->tstamp_minAge = MathUtility::forceIntegerInRange($this->indexerConfig['minAge'] * 3600, 0);
$this->tstamp_maxAge = MathUtility::forceIntegerInRange($this->indexerConfig['maxAge'] * 3600, 0);
$this->maxExternalFiles = MathUtility::forceIntegerInRange($this->indexerConfig['maxExternalFiles'], 0, 1000, 5);
diff --git a/typo3/sysext/indexed_search/ext_localconf.php b/typo3/sysext/indexed_search/ext_localconf.php
index 20ece71edbbd..321ce16a27a3 100644
--- a/typo3/sysext/indexed_search/ext_localconf.php
+++ b/typo3/sysext/indexed_search/ext_localconf.php
@@ -45,7 +45,7 @@ $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['indexed_search']['external_parsers'] = a
);
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['indexed_search']['use_tables'] = 'index_phash,index_fulltext,index_rel,index_words,index_section,index_grlist,index_stat_search,index_stat_word,index_debug,index_config';
// unserializing the configuration so we can use it here:
-$_EXTCONF = unserialize($_EXTCONF);
+$_EXTCONF = unserialize($_EXTCONF, ['allowed_classes' => false]);
// Use the advanced doubleMetaphone parser instead of the internal one (usage of metaphone parsers is generally disabled by default)
if (isset($_EXTCONF['enableMetaphoneSearch']) && (int)$_EXTCONF['enableMetaphoneSearch'] == 2) {
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['indexed_search']['metaphone'] = \TYPO3\CMS\IndexedSearch\Utility\DoubleMetaPhoneUtility::class;
diff --git a/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php b/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
index 5ac4ac8a0d1d..03d8f6e1f5e4 100755
--- a/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
+++ b/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
@@ -98,7 +98,6 @@ class SilentConfigurationUpgradeService
{
$this->generateEncryptionKeyIfNeeded();
$this->configureBackendLoginSecurity();
- $this->configureSaltedPasswords();
$this->migrateImageProcessorSetting();
$this->transferHttpSettings();
$this->disableImageMagickDetailSettingsIfImageMagickIsDisabled();
@@ -154,43 +153,6 @@ class SilentConfigurationUpgradeService
}
}
- /**
- * Check the settings for salted passwords extension to load it as a required extension.
- * Unset obsolete configuration options if given.
- *
- * @return void
- */
- protected function configureSaltedPasswords()
- {
- $defaultConfiguration = $this->configurationManager->getDefaultConfiguration();
- $defaultExtensionConfiguration = unserialize($defaultConfiguration['EXT']['extConf']['saltedpasswords']);
- try {
- $extensionConfiguration = @unserialize($this->configurationManager->getLocalConfigurationValueByPath('EXT/extConf/saltedpasswords'));
- } catch (\RuntimeException $e) {
- $extensionConfiguration = [];
- }
- if (is_array($extensionConfiguration) && !empty($extensionConfiguration)) {
- if (isset($extensionConfiguration['BE.']['enabled'])) {
- if ($extensionConfiguration['BE.']['enabled']) {
- unset($extensionConfiguration['BE.']['enabled']);
- } else {
- $extensionConfiguration['BE.'] = $defaultExtensionConfiguration['BE.'];
- }
- $this->configurationManager->setLocalConfigurationValueByPath(
- 'EXT/extConf/saltedpasswords',
- serialize($extensionConfiguration)
- );
- $this->throwRedirectException();
- }
- } else {
- $this->configurationManager->setLocalConfigurationValueByPath(
- 'EXT/extConf/saltedpasswords',
- serialize($defaultExtensionConfiguration)
- );
- $this->throwRedirectException();
- }
- }
-
/**
* The encryption key is crucial for securing form tokens
* and the whole TYPO3 link rendering later on. A random key is set here in
diff --git a/typo3/sysext/install/Tests/Unit/Service/SilentConfigurationUpgradeServiceTest.php b/typo3/sysext/install/Tests/Unit/Service/SilentConfigurationUpgradeServiceTest.php
index 10bc6808890c..359da5de869b 100644
--- a/typo3/sysext/install/Tests/Unit/Service/SilentConfigurationUpgradeServiceTest.php
+++ b/typo3/sysext/install/Tests/Unit/Service/SilentConfigurationUpgradeServiceTest.php
@@ -187,141 +187,6 @@ class SilentConfigurationUpgradeServiceTest extends \TYPO3\CMS\Core\Tests\UnitTe
$silentConfigurationUpgradeServiceInstance->_call('removeObsoleteLocalConfigurationSettings');
}
- /**
- * @test
- */
- public function configureSaltedPasswordsWithDefaultConfiguration()
- {
- /** @var $silentConfigurationUpgradeServiceInstance SilentConfigurationUpgradeService|\PHPUnit_Framework_MockObject_MockObject|\TYPO3\CMS\Core\Tests\AccessibleObjectInterface */
- $silentConfigurationUpgradeServiceInstance = $this->getAccessibleMock(
- SilentConfigurationUpgradeService::class,
- array('dummy'),
- array(),
- '',
- false
- );
- $config = 'a:2:{s:3:"BE.";a:3:{s:11:"forceSalted";i:0;s:15:"onlyAuthService";i:0;s:12:"updatePasswd";i:1;}s:3:"FE.";a:4:{s:7:"enabled";i:0;s:11:"forceSalted";i:0;s:15:"onlyAuthService";i:0;s:12:"updatePasswd";i:1;}}';
- $defaultConfiguration = array();
- $defaultConfiguration['EXT']['extConf']['saltedpasswords'] = $config;
-
- $closure = function () {
- throw new \RuntimeException('Path does not exist in array', 1341397869);
- };
-
- $this->createConfigurationManagerWithMockedMethods(
- array(
- 'getDefaultConfiguration',
- 'getLocalConfigurationValueByPath',
- 'setLocalConfigurationValueByPath',
- )
- );
- $this->configurationManager->expects($this->exactly(1))
- ->method('getDefaultConfiguration')
- ->will($this->returnValue($defaultConfiguration));
- $this->configurationManager->expects($this->exactly(1))
- ->method('getLocalConfigurationValueByPath')
- ->will($this->returnCallback($closure));
- $this->configurationManager->expects($this->once())
- ->method('setLocalConfigurationValueByPath')
- ->with($this->equalTo('EXT/extConf/saltedpasswords'), $this->equalTo($config));
-
- $this->expectException(RedirectException::class);
-
- $silentConfigurationUpgradeServiceInstance->_set('configurationManager', $this->configurationManager);
-
- $silentConfigurationUpgradeServiceInstance->_call('configureSaltedPasswords');
- }
-
- /**
- * @test
- */
- public function configureSaltedPasswordsWithExtensionConfigurationBeEnabled()
- {
- /** @var $silentConfigurationUpgradeServiceInstance SilentConfigurationUpgradeService|\PHPUnit_Framework_MockObject_MockObject|\TYPO3\CMS\Core\Tests\AccessibleObjectInterface */
- $silentConfigurationUpgradeServiceInstance = $this->getAccessibleMock(
- SilentConfigurationUpgradeService::class,
- array('dummy'),
- array(),
- '',
- false
- );
- $config = 'a:2:{s:3:"BE.";a:1:{s:21:"saltedPWHashingMethod";}s:3:"FE.";a:2:{s:7:"enabled";i:0;s:11:"forceSalted";i:0;}}';
- $defaultConfiguration = array();
- $defaultConfiguration['EXT']['extConf']['saltedpasswords'] = $config;
-
- $currentLocalConfiguration = array(
- array('EXT/extConf/saltedpasswords', 'a:2:{s:3:"BE.";a:1:{s:7:"enabled";i:1;}s:3:"FE.";a:1:{s:7:"enabled";i:0;}}')
- );
- $newConfig = 'a:2:{s:3:"BE.";a:0:{}s:3:"FE.";a:1:{s:7:"enabled";i:0;}}';
- $this->createConfigurationManagerWithMockedMethods(
- array(
- 'getDefaultConfiguration',
- 'getLocalConfigurationValueByPath',
- 'setLocalConfigurationValueByPath',
- )
- );
- $this->configurationManager->expects($this->exactly(1))
- ->method('getDefaultConfiguration')
- ->will($this->returnValue($defaultConfiguration));
- $this->configurationManager->expects($this->exactly(1))
- ->method('getLocalConfigurationValueByPath')
- ->will($this->returnValueMap($currentLocalConfiguration));
- $this->configurationManager->expects($this->once())
- ->method('setLocalConfigurationValueByPath')
- ->with($this->equalTo('EXT/extConf/saltedpasswords'), $this->equalTo($newConfig));
-
- $this->expectException(RedirectException::class);
-
- $silentConfigurationUpgradeServiceInstance->_set('configurationManager', $this->configurationManager);
-
- $silentConfigurationUpgradeServiceInstance->_call('configureSaltedPasswords');
- }
-
- /**
- * @test
- */
- public function configureSaltedPasswordsWithExtensionConfigurationBeNotEnabled()
- {
- /** @var $silentConfigurationUpgradeServiceInstance SilentConfigurationUpgradeService|\PHPUnit_Framework_MockObject_MockObject|\TYPO3\CMS\Core\Tests\AccessibleObjectInterface */
- $silentConfigurationUpgradeServiceInstance = $this->getAccessibleMock(
- SilentConfigurationUpgradeService::class,
- array('dummy'),
- array(),
- '',
- false
- );
- $config = 'a:2:{s:3:"BE.";a:1:{s:15:"onlyAuthService";i:0;}s:3:"FE.";a:2:{s:7:"enabled";i:0;s:11:"forceSalted";i:0;}}';
- $defaultConfiguration = array();
- $defaultConfiguration['EXT']['extConf']['saltedpasswords'] = $config;
-
- $currentLocalConfiguration = array(
- array('EXT/extConf/saltedpasswords', 'a:2:{s:3:"BE.";a:2:{s:7:"enabled";i:0;s:12:"updatePasswd";i:1;}s:3:"FE.";a:1:{s:7:"enabled";i:0;}}')
- );
- $newConfig = 'a:2:{s:3:"BE.";a:1:{s:15:"onlyAuthService";i:0;}s:3:"FE.";a:1:{s:7:"enabled";i:0;}}';
- $this->createConfigurationManagerWithMockedMethods(
- array(
- 'getDefaultConfiguration',
- 'getLocalConfigurationValueByPath',
- 'setLocalConfigurationValueByPath',
- )
- );
- $this->configurationManager->expects($this->exactly(1))
- ->method('getDefaultConfiguration')
- ->will($this->returnValue($defaultConfiguration));
- $this->configurationManager->expects($this->exactly(1))
- ->method('getLocalConfigurationValueByPath')
- ->will($this->returnValueMap($currentLocalConfiguration));
- $this->configurationManager->expects($this->once())
- ->method('setLocalConfigurationValueByPath')
- ->with($this->equalTo('EXT/extConf/saltedpasswords'), $this->equalTo($newConfig));
-
- $this->expectException(RedirectException::class);
-
- $silentConfigurationUpgradeServiceInstance->_set('configurationManager', $this->configurationManager);
-
- $silentConfigurationUpgradeServiceInstance->_call('configureSaltedPasswords');
- }
-
/**
* @test
*/
@@ -711,4 +576,4 @@ class SilentConfigurationUpgradeServiceTest extends \TYPO3\CMS\Core\Tests\UnitTe
$silentConfigurationUpgradeServiceInstance->_call('setImageMagickDetailSettings');
}
-}
+}
\ No newline at end of file
diff --git a/typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php b/typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
index 42ffba888e8e..406e5663153b 100644
--- a/typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
+++ b/typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
@@ -54,7 +54,7 @@ class CommandLineBackend extends AbstractBackend
{
$this->opensslPath = CommandUtility::getCommand('openssl');
// Get temporary directory from the configuration
- $extconf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rsaauth']);
+ $extconf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rsaauth'], ['allowed_classes' => false]);
if (
$extconf['temporaryDirectory'] !== ''
&& $extconf['temporaryDirectory'][0] === '/'
diff --git a/typo3/sysext/rsaauth/Classes/BackendWarnings.php b/typo3/sysext/rsaauth/Classes/BackendWarnings.php
index ca45eeb21baf..ecd702851d58 100644
--- a/typo3/sysext/rsaauth/Classes/BackendWarnings.php
+++ b/typo3/sysext/rsaauth/Classes/BackendWarnings.php
@@ -34,7 +34,7 @@ class BackendWarnings
$lang = $this->getLanguageService();
$warnings['rsaauth_cmdline'] = $lang->sL('LLL:EXT:rsaauth/Resources/Private/Language/locallang.xlf:hook_using_cmdline');
// Check the path
- $extconf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rsaauth']);
+ $extconf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rsaauth'], ['allowed_classes' => false]);
$path = trim($extconf['temporaryDirectory']);
if ($path == '') {
// Path is empty
diff --git a/typo3/sysext/rtehtmlarea/ext_localconf.php b/typo3/sysext/rtehtmlarea/ext_localconf.php
index dfa123994d43..c97f4bff078a 100644
--- a/typo3/sysext/rtehtmlarea/ext_localconf.php
+++ b/typo3/sysext/rtehtmlarea/ext_localconf.php
@@ -13,7 +13,7 @@ require_once \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::extPath('rtehtm
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['rtehtmlarea']['version'] = $EM_CONF['rtehtmlarea']['version'];
// Unserializing the configuration so we can use it here
-$_EXTCONF = unserialize($_EXTCONF);
+$_EXTCONF = unserialize($_EXTCONF, ['allowed_classes' => false]);
// Add default RTE transformation configuration
\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addPageTSConfig('<INCLUDE_TYPOSCRIPT: source="FILE:EXT:rtehtmlarea/Configuration/PageTSconfig/Proc/pageTSConfig.txt">');
diff --git a/typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php b/typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
index 73de410afbed..45a56e0cad3a 100755
--- a/typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
+++ b/typo3/sysext/saltedpasswords/Classes/Utility/ExtensionManagerConfigurationUtility.php
@@ -149,7 +149,7 @@ class ExtensionManagerConfigurationUtility
private function init()
{
$requestSetup = $this->processPostData((array) $_REQUEST['data']);
- $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['saltedpasswords']);
+ $extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['saltedpasswords'], ['allowed_classes' => false]);
$this->extConf['BE'] = array_merge((array)$extConf['BE.'], (array)$requestSetup['BE.']);
$this->extConf['FE'] = array_merge((array)$extConf['FE.'], (array)$requestSetup['FE.']);
$this->getLanguageService()->includeLLFile('EXT:saltedpasswords/Resources/Private/Language/locallang.xlf');
diff --git a/typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php b/typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php
index c80358cbd591..2b656faa041b 100644
--- a/typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php
+++ b/typo3/sysext/saltedpasswords/Classes/Utility/SaltedPasswordsUtility.php
@@ -51,7 +51,7 @@ class SaltedPasswordsUtility
{
$currentConfiguration = self::returnExtConfDefaults();
if (isset($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['saltedpasswords'])) {
- $extensionConfiguration = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['saltedpasswords']);
+ $extensionConfiguration = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['saltedpasswords'], ['allowed_classes' => false]);
// Merge default configuration with modified configuration:
if (isset($extensionConfiguration[$mode . '.'])) {
$currentConfiguration = array_merge($currentConfiguration, $extensionConfiguration[$mode . '.']);
diff --git a/typo3/sysext/scheduler/Classes/Scheduler.php b/typo3/sysext/scheduler/Classes/Scheduler.php
index 925d22121447..84cb1a476617 100644
--- a/typo3/sysext/scheduler/Classes/Scheduler.php
+++ b/typo3/sysext/scheduler/Classes/Scheduler.php
@@ -38,7 +38,7 @@ class Scheduler implements \TYPO3\CMS\Core\SingletonInterface
public function __construct()
{
// Get configuration from the extension manager
- $this->extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['scheduler']);
+ $this->extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['scheduler'], ['allowed_classes' => false]);
if (empty($this->extConf['maxLifetime'])) {
$this->extConf['maxLifetime'] = 1440;
}
diff --git a/typo3/sysext/scheduler/ext_localconf.php b/typo3/sysext/scheduler/ext_localconf.php
index 3bf20ed5e9d6..ab11a969a66e 100644
--- a/typo3/sysext/scheduler/ext_localconf.php
+++ b/typo3/sysext/scheduler/ext_localconf.php
@@ -10,7 +10,7 @@ $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['GLOBAL']['cliKeys']['scheduler'] = ar
'_CLI_scheduler'
);
// Get the extensions's configuration
-$extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['scheduler']);
+$extConf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['scheduler'], ['allowed_classes' => false]);
// If sample tasks should be shown,
// register information for the test and sleep tasks
if (!empty($extConf['showSampleTasks'])) {
--
GitLab