Hotfix: Add type checking for deserialized data in sfParameterHolder and sfNamespacedParameterHolder (CVE-2024-28861)

darkpills · thePanz · commit 0bd9d59c6922 · 2024-03-19T13:46:06.000+01:00
diff --git a/lib/util/sfNamespacedParameterHolder.class.php b/lib/util/sfNamespacedParameterHolder.class.php
@@ -53,11 +53,19 @@ public function __serialize()
 
     /**
      * Unserializes a sfParameterHolder instance for PHP 7.4+.
+     * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
      *
      * @param array $data
      */
     public function __unserialize($data)
     {
+        if (!is_array($data) || 2 !== \count($data)) {
+            $this->default_namespace = null;
+            $this->parameters = [];
+
+            return;
+        }
+
         $this->default_namespace = $data[0];
         $this->parameters = $data[1];
     }
diff --git a/lib/util/sfParameterHolder.class.php b/lib/util/sfParameterHolder.class.php
@@ -41,11 +41,18 @@ public function __serialize()
 
     /**
      * Unserializes a sfParameterHolder instance for PHP 7.4+.
+     * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.
      *
      * @param array $data
      */
     public function __unserialize($data)
     {
+        if (!is_array($data)) {
+            $this->parameters = [];
+
+            return;
+        }
+
         $this->parameters = $data;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -53,11 +53,19 @@ public function __serialize()`
`53`	`53`
`54`	`54`	`/**`
`55`	`55`	`* Unserializes a sfParameterHolder instance for PHP 7.4+.`
	`56`	`+ * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.`
`56`	`57`	`*`
`57`	`58`	`* @param array $data`
`58`	`59`	`*/`
`59`	`60`	`public function __unserialize($data)`
`60`	`61`	`{`
	`62`	`+ if (!is_array($data) \|\| 2 !== \count($data)) {`
	`63`	`+ $this->default_namespace = null;`
	`64`	`+ $this->parameters = [];`
	`65`	`+`
	`66`	`+ return;`
	`67`	`+ }`
	`68`	`+`
`61`	`69`	`$this->default_namespace = $data[0];`
`62`	`70`	`$this->parameters = $data[1];`
`63`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -41,11 +41,18 @@ public function __serialize()`
`41`	`41`
`42`	`42`	`/**`
`43`	`43`	`* Unserializes a sfParameterHolder instance for PHP 7.4+.`
	`44`	`+ * [CVE-2024-28861] Check type of returned data to avoid deserialization vulnerabilities.`
`44`	`45`	`*`
`45`	`46`	`* @param array $data`
`46`	`47`	`*/`
`47`	`48`	`public function __unserialize($data)`
`48`	`49`	`{`
	`50`	`+ if (!is_array($data)) {`
	`51`	`+ $this->parameters = [];`
	`52`	`+`
	`53`	`+ return;`
	`54`	`+ }`
	`55`	`+`
`49`	`56`	`$this->parameters = $data;`
`50`	`57`	`}`
`51`	`58`