[SECURITY] Avoid insecure deserialization of $BE_USER->uc properties
General and unscoped collection of user settings in $BE_USER->uc is vulnerable to insecure deserialization, triggered by lots of different consumers invoking `unserialize()`. Class deserialization is denied by using option `['allowed_classes' => false]`. Resolves: #90313 Releases: master, 9.5 Change-Id: Ic969441bcd4e85fcdbbde23f539bfbcb629ffbb4 Security-Bulletin: TYPO3-CORE-SA-2020-005 Security-References: CVE-2020-11067 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64469 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php 1 addition, 1 deletion...ore/Classes/Authentication/AbstractUserAuthentication.php
- typo3/sysext/fluid/Classes/Core/Widget/AjaxWidgetContextHolder.php 27 additions, 7 deletions...ext/fluid/Classes/Core/Widget/AjaxWidgetContextHolder.php
- typo3/sysext/fluid/Classes/Core/Widget/WidgetContext.php 59 additions, 10 deletionstypo3/sysext/fluid/Classes/Core/Widget/WidgetContext.php
- typo3/sysext/fluid/Tests/Unit/Core/Widget/WidgetContextTest.php 2 additions, 2 deletions...sysext/fluid/Tests/Unit/Core/Widget/WidgetContextTest.php
- typo3/sysext/workspaces/Classes/Controller/Remote/ActionHandler.php 2 additions, 2 deletions...xt/workspaces/Classes/Controller/Remote/ActionHandler.php