From 9be12a5ab4214ba1d2b1e4fe232917fab7d39eb7 Mon Sep 17 00:00:00 2001
From: Benjamin DALSASS <benjamin.dalsass@combodo.com>
Date: Mon, 13 Apr 2026 08:13:54 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B09379=20-=20PHP=20unserialze=20function?=
 =?UTF-8?q?=20-=20security=20hardening=20-=20code=20review?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/menunode.class.inc.php                              | 2 +-
 application/utils.inc.php                                       | 2 +-
 .../UI/Base/Component/DataTable/DataTableSettings.php           | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/application/menunode.class.inc.php b/application/menunode.class.inc.php
index 43ce751e5..bbd1341c9 100644
--- a/application/menunode.class.inc.php
+++ b/application/menunode.class.inc.php
@@ -1547,7 +1547,7 @@ class ShortcutMenuNode extends MenuNode
 	{
 		$sContext = $this->oShortcut->Get('context');
 		try {
-			$aContext = utils::Unserialize($sContext, ['allowed_classes' => false]);
+			$aContext = utils::Unserialize($sContext);
 			if (isset($aContext['menu'])) {
 				unset($aContext['menu']);
 			}
diff --git a/application/utils.inc.php b/application/utils.inc.php
index a779669a0..8f1f848db 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -3263,7 +3263,7 @@ TXT
 	 * @return mixed PHP @unserialise return
 	 * @throws Exception
 	 */
-	public static function Unserialize(mixed $data, array $aOptions, bool $bThrowNotAllowedObjectClassException = true): mixed
+	public static function Unserialize(mixed $data, array $aOptions = ['allowed_classes' => false], bool $bThrowNotAllowedObjectClassException = true): mixed
 	{
 		$data = unserialize($data, $aOptions);
 
diff --git a/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php b/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php
index f8dd40002..03ceb31f1 100644
--- a/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php
+++ b/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php
@@ -135,7 +135,7 @@ class DataTableSettings
 	 */
 	public function unserialize($sData)
 	{
-		$aData = utils::Unserialize($sData, ['allowed_classes' => false]);
+		$aData = utils::Unserialize($sData);
 		if (!is_array($aData)) {
 			throw new CoreException('Wrong data table settings format, expected an array', ['datatable_settings_data' => $aData]);
 		}