mirror of
https://github.com/nextcloud/server.git
synced 2026-06-22 15:12:05 -04:00
c919537629
RemoveBrokenProperties::run() calls unserialize() on the property value column without restricting allowed_classes. The result is only compared against false to identify broken rows, so no class instantiation is needed. As written though, magic methods (__wakeup/__destruct) on any class referenced by the serialized payload still execute. The runtime decoder for the same column already restricts deserialization. See apps/dav/lib/DAV/CustomPropertiesBackend.php:675-678, which passes ['allowed_classes' => self::ALLOWED_SERIALIZED_CLASSES]. This change applies the same hardening to the repair step. It uses ['allowed_classes' => false] since the unserialized value is never used, only its truthiness is checked. No behavior change for valid or broken rows. Signed-off-by: Eli Peter <54954007+elicpeter@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| Events | ||
| NC13 | ||
| NC14 | ||
| NC16 | ||
| NC18 | ||
| NC20 | ||
| NC21 | ||
| NC22 | ||
| NC24 | ||
| NC25 | ||
| NC29 | ||
| NC30 | ||
| Owncloud | ||
| AddBruteForceCleanupJob.php | ||
| AddCleanupBackgroundJobsJob.php | ||
| AddCleanupDeletedUsersBackgroundJob.php | ||
| AddCleanupUpdaterBackupsJob.php | ||
| AddMetadataGenerationJob.php | ||
| AddMovePreviewJob.php | ||
| AddRemoveOldTasksBackgroundJob.php | ||
| CleanTags.php | ||
| CleanUpAbandonedApps.php | ||
| ClearFrontendCaches.php | ||
| ClearGeneratedAvatarCache.php | ||
| ClearGeneratedAvatarCacheJob.php | ||
| Collation.php | ||
| ConfigKeyMigration.php | ||
| MoveUpdaterStepFile.php | ||
| OldGroupMembershipShares.php | ||
| RemoveBrokenProperties.php | ||
| RemoveLinkShares.php | ||
| RepairDavShares.php | ||
| RepairInvalidShares.php | ||
| RepairLogoDimension.php | ||
| RepairMimeTypes.php | ||