N°9379 - PHP unserialze function - security hardening

- code review
2026-05-19 23:32:17 +02:00 · 2026-04-13 08:13:54 +02:00
parent 3debf2e11a
commit 9be12a5ab4
3 changed files with 3 additions and 3 deletions
--- a/application/menunode.class.inc.php
+++ b/application/menunode.class.inc.php
@@ -1547,7 +1547,7 @@ class ShortcutMenuNode extends MenuNode
 	{
 		$sContext = $this->oShortcut->Get('context');
 		try {
-			$aContext = utils::Unserialize($sContext, ['allowed_classes' => false]);
+			$aContext = utils::Unserialize($sContext);
 			if (isset($aContext['menu'])) {
 				unset($aContext['menu']);
 			}
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -3263,7 +3263,7 @@ TXT
 	 * @return mixed PHP @unserialise return
 	 * @throws Exception
 	 */
-	public static function Unserialize(mixed $data, array $aOptions, bool $bThrowNotAllowedObjectClassException = true): mixed
+	public static function Unserialize(mixed $data, array $aOptions = ['allowed_classes' => false], bool $bThrowNotAllowedObjectClassException = true): mixed
 	{
 		$data = unserialize($data, $aOptions);

--- a/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php
+++ b/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php
@@ -135,7 +135,7 @@ class DataTableSettings
 	 */
 	public function unserialize($sData)
 	{
-		$aData = utils::Unserialize($sData, ['allowed_classes' => false]);
+		$aData = utils::Unserialize($sData);
 		if (!is_array($aData)) {
 			throw new CoreException('Wrong data table settings format, expected an array', ['datatable_settings_data' => $aData]);
 		}