Merge pull request #59979 from elicpeter/patch-1

fix(repair): restrict unserialize() in RemoveBrokenProperties
2026-06-12 18:21:40 -04:00 · 2026-06-11 10:26:04 +02:00 · 2026-06-11 10:26:04 +02:00 · 421e4de7e5
commit 421e4de7e5
parent 69af641e34 bc7f4b5e60
1 changed files with 1 additions and 1 deletions
--- a/lib/private/Repair/RemoveBrokenProperties.php
+++ b/lib/private/Repair/RemoveBrokenProperties.php
@ -38,7 +38,7 @@ class RemoveBrokenProperties implements IRepairStep {
 		$brokenIds = [];
 		while ($entry = $result->fetch()) {
 			if (!empty($entry['propertyvalue'])) {
-				$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']));
+				$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']), ['allowed_classes' => false]);
 				if ($object === false) {
 					$brokenIds[] = $entry['id'];
 				}