From fa7c8f064e3cbaa1fa93d89d33693b5479559380 Mon Sep 17 00:00:00 2001
From: Benjamin DALSASS <benjamin.dalsass@combodo.com>
Date: Mon, 13 Apr 2026 09:20:44 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B09379=20-=20PHP=20unserialze=20function?=
 =?UTF-8?q?=20-=20security=20hardening=20-=20add=20unitary=20test?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../unitary-tests/application/utilsTest.php    | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tests/php-unit-tests/unitary-tests/application/utilsTest.php b/tests/php-unit-tests/unitary-tests/application/utilsTest.php
index c0ca399754..5d357e846d 100644
--- a/tests/php-unit-tests/unitary-tests/application/utilsTest.php
+++ b/tests/php-unit-tests/unitary-tests/application/utilsTest.php
@@ -23,6 +23,7 @@
 namespace Combodo\iTop\Test\UnitTest\Application;
 
 use Combodo\iTop\Test\UnitTest\ItopTestCase;
+use CoreException;
 use ormDocument;
 use utils;
 
@@ -1043,4 +1044,21 @@ INI;
 
 		unlink($sTmpFileOutsideItop);
 	}
+
+	public function testUnserialize()
+	{
+		// data to unserialize containing an object
+		$sData = 'a:2:{s:6:"string";s:9:"My string";s:6:"object";O:8:"DateTime":3:{s:4:"date";s:26:"2026-04-13 09:09:23.033175";s:13:"timezone_type";i:3;s:8:"timezone";s:16:"Europe/Amsterdam";}}';
+
+		// allow the DateTime object (no exception triggered)
+		utils::Unserialize($sData, ['allowed_classes' => ['DateTime']]);
+
+		// flag to avoid throwing an exception
+		utils::Unserialize($sData, ['allowed_classes' => false], false);
+
+		// flag to require throwing an exception
+		$this->expectException(CoreException::class);
+		utils::Unserialize($sData);
+
+	}
 }