N°9379 - PHP unserialze function - security hardening

- Create an unserialze function encapsulation - Ensure data table settings doesn't contain php objects, otherwise revert to default settings
2026-05-18 14:58:43 +02:00 · 2026-04-09 08:31:41 +02:00
parent 00735f0c54
commit a71fefa328
2 changed files with 68 additions and 2 deletions
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -3252,4 +3252,50 @@ TXT

 		return $aTrace;
 	}
+
+	/**
+	 * PHP unserialize encapsulation, allow throwing exception when not allowed object class is detected (for security hardening)
+	 *
+	 * @param mixed $data data to unserialize
+	 * @param array $aOptions PHP @unserialise options
+	 * @param bool $bThrowNotAllowedObjectClassException flag to throw exception
+	 *
+	 * @return mixed PHP @unserialise return
+	 * @throws Exception
+	 */
+	public static function Unserialize(mixed $data, array $aOptions, bool $bThrowNotAllowedObjectClassException = true): mixed
+	{
+		$oData = unserialize($data, $aOptions);
+
+		if ($bThrowNotAllowedObjectClassException) {
+			try {
+				self::AssertNoIncompleteClassDetected($oData);
+			} catch (Exception $e) {
+				throw new CoreException('Unserialization failed because an incomplete class was detected.', [], '', $e);
+			}
+		}
+
+		return $oData;
+	}
+
+	/**
+	 * Assert that data provided doesn't contain any incomplete class.
+	 *
+	 * @throws Exception
+	 */
+	public static function AssertNoIncompleteClassDetected($data): void
+	{
+		if (is_object($data)) {
+			if ($data instanceof __PHP_Incomplete_Class) {
+				throw new Exception('__PHP_Incomplete_Class_Name object detected');
+			}
+			foreach (get_object_vars($data) as $property) {
+				self::AssertNoIncompleteClassDetected($property);
+			}
+		} elseif (is_array($data)) {
+			foreach ($data as $value) {
+				self::AssertNoIncompleteClassDetected($value);
+			}
+		}
+	}
 }
--- a/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php
+++ b/sources/Application/UI/Base/Component/DataTable/DataTableSettings.php
@@ -8,8 +8,13 @@ use AttributeFriendlyName;
 use AttributeLinkedSet;
 use cmdbAbstract;
 use cmdbAbstractObject;
+use CoreException;
 use Dict;
+use Exception;
+use IssueLog;
+use LogChannels;
 use Metamodel;
+use utils;

 /**
 * Class DataTableSettings
@@ -130,7 +135,10 @@ class DataTableSettings
 	 */
 	public function unserialize($sData)
 	{
-		$aData = unserialize($sData);
+		$aData = utils::Unserialize($sData, ['allowed_classes' => false]);
+		if (!is_array($aData)) {
+			throw new CoreException('Wrong data table settings format, expected an array', ['datatable_settings_data' => $aData]);
+		}
 		$this->iDefaultPageSize = $aData['iDefaultPageSize'];
 		$this->aColumns = $aData['aColumns'];
 		foreach ($this->aClassAliases as $sAlias => $sClass) {
@@ -269,7 +277,19 @@ class DataTableSettings
 				return null;
 			}
 		}
-		$oSettings->unserialize($pref);
+
+		try {
+			$oSettings->unserialize($pref);
+		} catch (Exception $e) {
+			IssueLog::Warning("User table settings corrupted, back to the default values provided by the data model", LogChannels::CONSOLE, [
+				'table_id' => $sTableId,
+				'root_cause' => $e->getMessage(),
+			]);
+			// unset the preference
+			appUserPreferences::UnsetPref($oSettings->GetPrefsKey($sTableId));
+			// use the default values provided by the data model
+			return null;
+		}

 		return $oSettings;
 	}