diff --git a/adminzone/pages/modules/admin_newsletter.php b/adminzone/pages/modules/admin_newsletter.php index 93ba262e9..cc8bcce2e 100644 --- a/adminzone/pages/modules/admin_newsletter.php +++ b/adminzone/pages/modules/admin_newsletter.php @@ -1314,7 +1314,7 @@ class Module_admin_newsletter extends Standard_crud_module if (!is_null($csv_data)) { $hidden->attach(form_input_hidden('csv_data', $csv_data)); secure_serialized_data($csv_data, array()); - $_csv_data = unserialize($csv_data); + $_csv_data = unserialize($csv_data, array('allowed_classes' => false)); $num_csv_data = count($_csv_data) - 1; $send_to_help = do_lang_tempcode('SOME_NEWSLETTER_TARGETS_KNOWN', escape_html(integer_format($num_csv_data))); } diff --git a/sources/ajax.php b/sources/ajax.php index a38cfac07..489e7be73 100755 --- a/sources/ajax.php +++ b/sources/ajax.php @@ -505,7 +505,7 @@ function ajax_tree_script() $_options = serialize(array()); } secure_serialized_data($_options); - $options = @unserialize($_options); + $options = @unserialize($_options, array('allowed_classes' => false)); if ($options === false) { warn_exit(do_lang_tempcode('INTERNAL_ERROR')); } diff --git a/sources/commandr.php b/sources/commandr.php index 8bd996167..109c4e847 100644 --- a/sources/commandr.php +++ b/sources/commandr.php @@ -1213,7 +1213,7 @@ class Virtual_shell } $_commandr_state_diff = base64_decode($_COOKIE['commandr_state']); secure_serialized_data($_commandr_state_diff); - $commandr_state_diff = @unserialize($_commandr_state_diff); + $commandr_state_diff = @unserialize($_commandr_state_diff, array('allowed_classes' => false)); if (!is_array($commandr_state_diff)) { $commandr_state_diff = array(); } @@ -1227,7 +1227,7 @@ class Virtual_shell } $_commandr_state_lang_diff = base64_decode($_COOKIE['commandr_state_lang']); secure_serialized_data($_commandr_state_lang_diff); - $commandr_state_lang_diff = @unserialize($_commandr_state_lang_diff); + $commandr_state_lang_diff = @unserialize($_commandr_state_lang_diff, array('allowed_classes' => false)); if (!is_array($commandr_state_lang_diff)) { $commandr_state_lang_diff = array(); } @@ -1246,7 +1246,7 @@ class Virtual_shell } $_commandr_state_code_diff = base64_decode($_COOKIE['commandr_state_code']); secure_serialized_data($_commandr_state_code_diff); - $commandr_state_code_diff = @unserialize($_commandr_state_code_diff); + $commandr_state_code_diff = @unserialize($_commandr_state_code_diff, array('allowed_classes' => false)); if (!is_array($commandr_state_code_diff)) { $commandr_state_code_diff = array(); } diff --git a/sources/feedback.php b/sources/feedback.php index ebc101f8a..8786916c6 100644 --- a/sources/feedback.php +++ b/sources/feedback.php @@ -195,7 +195,7 @@ function post_comment_script() } $options = isset($_POST['options']) ? $_POST['options'] : (isset($_GET['options']) ? $_GET['options'] : ''); secure_serialized_data($options); - $_options = @unserialize($options); + $_options = @unserialize($options, array('allowed_classes' => false)); if (!is_array($_options)) { warn_exit(do_lang_tempcode('INTERNAL_ERROR')); } diff --git a/sources/global3.php b/sources/global3.php index 279110889..670e3b32d 100644 --- a/sources/global3.php +++ b/sources/global3.php @@ -3436,7 +3436,7 @@ function appengine_live_guard() * Check serialized data for objects, as a security measure. * * @param string $data &$data Serialized data - * @param ?mixed $safe_replacement What to substitute if objects are contained (null: substitute null) + * @param ?mixed $safe_replacement What to substitute if objects are contained (null: substitute null) */ function secure_serialized_data(&$data, $safe_replacement = null) { @@ -3444,12 +3444,13 @@ function secure_serialized_data(&$data, $safe_replacement = null) // Would be a vulnerability if there's a defined class where such method invocation has dangerous side-effects $matches = array(); - $num_matches = preg_match_all('#(^|;)O:\d+:"([^"]+)"#', $data, $matches); + $num_matches = preg_match_all('#(^|;)O:[\d\+\-\.]+:"([^"]+)"#', $data, $matches); for ($i = 0; $i < $num_matches; $i++) { $harsh = true; // Could be turned into a method parameter later, if needed if ($harsh) { $bad_methods = array( '__.*', + 'code_to_preexecute', ); } else { $bad_methods = array( @@ -3463,10 +3464,12 @@ function secure_serialized_data(&$data, $safe_replacement = null) '__set', '__call', '__callStatic', + 'code_to_preexecute', ); } - $methods = get_class_methods($matches[2][$i]); + $class_name = $matches[2][$i]; + $methods = get_class_methods($class_name); foreach ($bad_methods as $bad_method) { foreach ($methods as $method) { diff --git a/sources/hooks/systems/snippets/comments.php b/sources/hooks/systems/snippets/comments.php index 8ef7d68f6..e2397d972 100644 --- a/sources/hooks/systems/snippets/comments.php +++ b/sources/hooks/systems/snippets/comments.php @@ -43,7 +43,7 @@ class Hook_snippet_comments } secure_serialized_data($serialized_options); - list($topic_id, $num_to_show_limit, $allow_comments, $invisible_if_no_comments, $forum, $reverse, $may_reply, $highlight_by_user, $allow_reviews) = unserialize($serialized_options); + list($topic_id, $num_to_show_limit, $allow_comments, $invisible_if_no_comments, $forum, $reverse, $may_reply, $highlight_by_user, $allow_reviews) = unserialize($serialized_options, array('allowed_classes' => false)); $posts = array_map('intval', explode(',', get_param_string('ids', false, true))); diff --git a/sources/users_inactive_occasionals.php b/sources/users_inactive_occasionals.php index 34351765e..323fee21f 100755 --- a/sources/users_inactive_occasionals.php +++ b/sources/users_inactive_occasionals.php @@ -392,7 +392,7 @@ function try_cookie_login() secure_serialized_data($the_cookie, array()); - $unserialize = @unserialize($the_cookie); + $unserialize = @unserialize($the_cookie, array('allowed_classes' => false)); if (is_array($unserialize)) { if (array_key_exists($real_member_cookie, $unserialize)) {