Symfony News: CVE-2019-10912: Prevent destructors with side-effects from being unserialized

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

Affected versions

Symfony 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Cache component are affected by this security issue.

The issue has been fixed in Symfony 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore and that 2.7 is unaffected.

Description

When unserialize() is called with content coming from user input, malicious payloads could be used to trigger file deletions or raw output being echoed.

Resolution

We now prevent some classes from being serialized or unserialized.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Mindaugas Vedegys for reporting the issue and Nicolas Grekas for fixing the issue.

Be trained by Symfony experts - 2019-04-23 Lille - 2019-04-23 Clichy - 2019-04-23 Clichy

Source: https://symfony.com/blog

About us

What a Symfony developer should know about the framework: News, Jobs, Tweets, Events, Videos,...

Welcome to Symfony News !
More About us
Contact us on contact[at]symfony-news.com

Resources

Symfony Blog

Find us on Twitter

Tweets by @symfony_news

Symfony News