From ddaf014898d8ebd4ab721f0baa199341ef07bc84 Mon Sep 17 00:00:00 2001
From: Benjamin DALSASS <benjamin.dalsass@combodo.com>
Date: Thu, 9 Apr 2026 14:59:06 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B09379=20-=20PHP=20unserialze=20function?=
 =?UTF-8?q?=20-=20security=20hardening=20-=20Ensure=20shortcut=20doen't=20?=
 =?UTF-8?q?contain=20php=20objects,=20otherwise=20delete=20shortcut?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/menunode.class.inc.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/application/menunode.class.inc.php b/application/menunode.class.inc.php
index 0071b5532f..09def76908 100644
--- a/application/menunode.class.inc.php
+++ b/application/menunode.class.inc.php
@@ -1546,7 +1546,16 @@ class ShortcutMenuNode extends MenuNode
 	public function GetHyperlink($aExtraParams)
 	{
 		$sContext = $this->oShortcut->Get('context');
-		$aContext = unserialize($sContext);
+		try {
+			$aContext = utils::Unserialize($sContext, ['allowed_classes' => false]);
+		} catch (Exception $e) {
+			IssueLog::Warning("User shortcut corrupted, delete the shortcut", LogChannels::CONSOLE, [
+				'shortcut_name' => $this->oShortcut->GetName(),
+				'root_cause' => $e->getMessage(),
+			]);
+			// delete the shortcut
+			$this->oShortcut->DBDelete();
+		}
 		if (isset($aContext['menu'])) {
 			unset($aContext['menu']);
 		}