[dev] [commits] imp branch master updated. 5f9aef5b2d3980f9633bee49c32e7a25864478d1

Michael J Rubinsky mrubinsk at horde.org
Mon Nov 7 19:01:33 UTC 2022 

Quoting Jan Schneider <jan at horde.org>:

> I don't think this works, because AFAIR we are indeed storing  
> serialized objects in the sort pref.

As far as I can tell we are storing an array of hashes:

a:23:{s:5:"INBOX";a:2:{s:1:"b";i:1;s:1:"d";i:1;}s:15:"General  
Archive";a:2:{s:1:"b";s:3:"100";s:1:"d";i:1;} .....


array(23) {
   ["INBOX"]=>
   array(2) {
     ["b"]=>
     int(1)
     ["d"]=>
     int(1)
   }
   ["General Archive"]=>
   array(2) {
     ["b"]=>
     string(3) "100"
     ["d"]=>
     int(1)
   }

.
.
.
.
}

and this is what is inferred from config/prefs.php:


// sort prefs for individual mailboxes
$_prefs['sortpref'] = array(
     // value = serialize(array())
     'value' => 'a:0:{}'
);



> Zitat von Michael J. Rubinsky <mrubinsk at horde.org>:
>
>> The branch "master" has been updated.
>> The following is a summary of the commits.
>>
>> from: 8d19f07d87a6320df5de6b293ec05a49502005ff
>>
>> a526249 Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class.
>> 5f9aef5 Merge pull request #10 from maintaina-com/fix-upstream-ZDI-20-1051
>>
>> Summary: https://github.com/horde/imp/compare/8d19f07d87a6...5f9aef5b2d39
>>
>> -----------------------------------------------------------------------
>>
>> commit a5262497903617af126fb529ac0bd2770f610b8d
>> Author: Ralf Lang <ralf.lang at ralf-lang.de>
>> Date:   Wed, 12 Oct 2022 18:06:43 +0200
>>
>> Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class.
>>
>> Also guard against some other possibly unwanted deserialisations.
>> It is debatable if this constitutes an actual attack vector before  
>> the change.
>> However, the change rules out any such possibility.
>>
>> M lib/Prefs/Sort.php
>>
>> https://github.com/horde/imp/commit/a5262497903617af126fb529ac0bd2770f610b8d
>>
>> -----------------------------------------------------------------------
>>
>> commit 5f9aef5b2d3980f9633bee49c32e7a25864478d1
>> Author: Michael J Rubinsky <mrubinsk at horde.org>
>> Date:   Sat, 22 Oct 2022 16:38:54 -0400
>>
>> Merge pull request #10 from maintaina-com/fix-upstream-ZDI-20-1051
>>
>> Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class.
>>
>> M lib/Prefs/Sort.php
>>
>> https://github.com/horde/imp/commit/5f9aef5b2d3980f9633bee49c32e7a25864478d1
>
>
>
> -- 
> Jan Schneider
> The Horde Project
> https://www.horde.org/
>
> -- 
> dev mailing list
> Frequently Asked Questions: http://wiki.horde.org/FAQ
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org



-- 
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 9386 bytes
Desc: PGP Public Key
URL: <https://lists.horde.org/archives/dev/attachments/20221107/7df187ba/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: PGP Digital Signature
URL: <https://lists.horde.org/archives/dev/attachments/20221107/7df187ba/attachment.sig>

More information about the dev mailing list