Skip to content

Commit

Permalink
Hotfix: Add type checking for deserialized data in sfParameterHolder …
Browse files Browse the repository at this point in the history
…and sfNamespacedParameterHolder (CVE-2024-28861)
  • Loading branch information
darkpills authored and thePanz committed Mar 19, 2024
1 parent 50a898b commit 0bd9d59
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
8 changes: 8 additions & 0 deletions lib/util/sfNamespacedParameterHolder.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,19 @@ public function __serialize()

/**
* Unserializes a sfParameterHolder instance for PHP 7.4+.
* [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
*
* @param array $data
*/
public function __unserialize($data)
{
if (!is_array($data) || 2 !== \count($data)) {
$this->default_namespace = null;
$this->parameters = [];

return;
}

$this->default_namespace = $data[0];
$this->parameters = $data[1];
}
Expand Down
7 changes: 7 additions & 0 deletions lib/util/sfParameterHolder.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,18 @@ public function __serialize()

/**
* Unserializes a sfParameterHolder instance for PHP 7.4+.
* [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
*
* @param array $data
*/
public function __unserialize($data)
{
if (!is_array($data)) {
$this->parameters = [];

return;
}

$this->parameters = $data;
}

Expand Down

0 comments on commit 0bd9d59

Please sign in to comment.