composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-19 07:12:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°9379 - PHP unserialze function - security hardening

Browse Source 
- Ensure shortcut doen't contain php objects, otherwise delete shortcut
This commit is contained in:
Benjamin DALSASS
2026-04-09 14:59:06 +02:00
parent a71fefa328
commit ddaf014898
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
application/menunode.class.inc.php
View File

@@ -1546,7 +1546,16 @@ class ShortcutMenuNode extends MenuNode
public function GetHyperlink($aExtraParams) public function GetHyperlink($aExtraParams)
{ {
$sContext = $this->oShortcut->Get('context'); $sContext = $this->oShortcut->Get('context');
$aContext = unserialize($sContext); try {
$aContext = utils::Unserialize($sContext, ['allowed_classes' => false]);
} catch (Exception $e) {
IssueLog::Warning("User shortcut corrupted, delete the shortcut", LogChannels::CONSOLE, [
'shortcut_name' => $this->oShortcut->GetName(),
'root_cause' => $e->getMessage(),
]);
// delete the shortcut
$this->oShortcut->DBDelete();
}
if (isset($aContext['menu'])) { if (isset($aContext['menu'])) {
unset($aContext['menu']); unset($aContext['menu']);
} }