From 3debf2e11a1e5bf5bef613f8912be558fba41a22 Mon Sep 17 00:00:00 2001
From: Benjamin DALSASS <benjamin.dalsass@combodo.com>
Date: Mon, 13 Apr 2026 08:08:52 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B09379=20-=20PHP=20unserialze=20function?=
 =?UTF-8?q?=20-=20security=20hardening=20-=20code=20review?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/menunode.class.inc.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/application/menunode.class.inc.php b/application/menunode.class.inc.php
index 09def76908..43ce751e5f 100644
--- a/application/menunode.class.inc.php
+++ b/application/menunode.class.inc.php
@@ -1548,6 +1548,12 @@ class ShortcutMenuNode extends MenuNode
 		$sContext = $this->oShortcut->Get('context');
 		try {
 			$aContext = utils::Unserialize($sContext, ['allowed_classes' => false]);
+			if (isset($aContext['menu'])) {
+				unset($aContext['menu']);
+			}
+			foreach ($aContext as $sArgName => $sArgValue) {
+				$aExtraParams[$sArgName] = $sArgValue;
+			}
 		} catch (Exception $e) {
 			IssueLog::Warning("User shortcut corrupted, delete the shortcut", LogChannels::CONSOLE, [
 				'shortcut_name' => $this->oShortcut->GetName(),
@@ -1556,12 +1562,6 @@ class ShortcutMenuNode extends MenuNode
 			// delete the shortcut
 			$this->oShortcut->DBDelete();
 		}
-		if (isset($aContext['menu'])) {
-			unset($aContext['menu']);
-		}
-		foreach ($aContext as $sArgName => $sArgValue) {
-			$aExtraParams[$sArgName] = $sArgValue;
-		}
 		return parent::GetHyperlink($aExtraParams);
 	}