[dev] [commits] imp branch master updated. 5f9aef5b2d3980f9633bee49c32e7a25864478d1
Jan Schneider
jan at horde.org
Mon Nov 7 17:41:28 UTC 2022
I don't think this works, because AFAIR we are indeed storing
serialized objects in the sort pref.
Zitat von Michael J. Rubinsky <mrubinsk at horde.org>:
> The branch "master" has been updated.
> The following is a summary of the commits.
>
> from: 8d19f07d87a6320df5de6b293ec05a49502005ff
>
> a526249 Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class.
> 5f9aef5 Merge pull request #10 from maintaina-com/fix-upstream-ZDI-20-1051
>
> Summary: https://github.com/horde/imp/compare/8d19f07d87a6...5f9aef5b2d39
>
> -----------------------------------------------------------------------
>
> commit a5262497903617af126fb529ac0bd2770f610b8d
> Author: Ralf Lang <ralf.lang at ralf-lang.de>
> Date: Wed, 12 Oct 2022 18:06:43 +0200
>
> Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class.
>
> Also guard against some other possibly unwanted deserialisations.
> It is debatable if this constitutes an actual attack vector before
> the change.
> However, the change rules out any such possibility.
>
> M lib/Prefs/Sort.php
>
> https://github.com/horde/imp/commit/a5262497903617af126fb529ac0bd2770f610b8d
>
> -----------------------------------------------------------------------
>
> commit 5f9aef5b2d3980f9633bee49c32e7a25864478d1
> Author: Michael J Rubinsky <mrubinsk at horde.org>
> Date: Sat, 22 Oct 2022 16:38:54 -0400
>
> Merge pull request #10 from maintaina-com/fix-upstream-ZDI-20-1051
>
> Address ZDI-20-1051 / ZDI-CAN-10436: Prevent deserializing a class.
>
> M lib/Prefs/Sort.php
>
> https://github.com/horde/imp/commit/5f9aef5b2d3980f9633bee49c32e7a25864478d1
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the dev
mailing list