Allow only trusted classes in unserialize

horde · Nov 18, 2021 · 90d956a · 90d956a
1 parent 8d19f07
commit 90d956a
Show file tree

Hide file tree

Showing 9 changed files with 40 additions and 11 deletions.
diff --git a/lib/Compose.php b/lib/Compose.php
@@ -811,7 +811,7 @@ public function buildAndSendMessage(
         ));
 
         /* Add preferred reply language(s). */
-        if ($lang = @unserialize($prefs->getValue('reply_lang'))) {
+        if ($lang = @unserialize($prefs->getValue('reply_lang'), array('allowed_classes' => false))) {
             $headers->addHeader('Accept-Language', implode(',', $lang));
         }
 

diff --git a/lib/Factory/MailboxList.php b/lib/Factory/MailboxList.php
@@ -57,7 +57,11 @@ public function create($mailbox)
             $mailbox = IMP_Mailbox::get($mailbox);
 
             if ($ob = $this->_getCache($mailbox)->get($key)) {
-                $ob = @unserialize($ob);
+                $ob = @unserialize($ob, array('allowed_classes' => array(
+                    'IMP_Mailbox_List_Virtual',
+                    'IMP_Mailbox_List_Pop3',
+                    'IMP_Mailbox_List',
+                )));
             }
 
             if (!$ob) {

diff --git a/lib/Flags.php b/lib/Flags.php
@@ -71,7 +71,16 @@ public function __construct()
         }
 
         if ($f_list = $GLOBALS['prefs']->getValue('msgflags')) {
-            $f_list = @unserialize($f_list);
+            $f_list = @unserialize($f_list, array('allowed_classes' => array(
+                'IMP_Flag_Imap_Answered',
+                'IMP_Flag_Imap_Deleted',
+                'IMP_Flag_Imap_Draft',
+                'IMP_Flag_Imap_Flagged',
+                'IMP_Flag_Imap_Forwarded',
+                'IMP_Flag_Imap_Junk',
+                'IMP_Flag_Imap_NotJunk',
+                'IMP_Flag_Imap_Seen',
+            )));
             if (is_array($f_list)) {
                 foreach ($f_list as $val) {
                     $this->_userflags[$val->id] = $val;

diff --git a/lib/Ftree/Prefs/Expanded.php b/lib/Ftree/Prefs/Expanded.php
@@ -41,7 +41,7 @@ public function __construct()
     {
         global $prefs;
 
-        if (($folders = @unserialize($prefs->getValue('expanded_folders'))) &&
+        if (($folders = @unserialize($prefs->getValue('expanded_folders'), array('allowed_classes' => false))) &&
             is_array($folders)) {
             $this->_data = $folders;
         }

diff --git a/lib/Ftree/Prefs/Poll.php b/lib/Ftree/Prefs/Poll.php
@@ -47,7 +47,7 @@ public function __construct(IMP_Ftree $ftree)
             $this->_data = array('INBOX' => 1);
 
             /* Add the list of polled mailboxes from the prefs. */
-            if ($nav_poll = @unserialize($prefs->getValue('nav_poll'))) {
+            if ($nav_poll = @unserialize($prefs->getValue('nav_poll'), array('allowed_classes' => false))) {
                 $this->_data += $nav_poll;
             }
 

diff --git a/lib/LoginTasks/SystemTask/Upgrade.php b/lib/LoginTasks/SystemTask/Upgrade.php
@@ -344,7 +344,10 @@ protected function _upgradeVirtualFolders()
 
         $vfolders = $prefs->getValue('vfolder');
         if (!empty($vfolders)) {
-            $vfolders = @unserialize($vfolders);
+            $vfolders = @unserialize($vfolders, array('allowed_classes' => array(
+                'IMP_Search_Vfolder_Vinbox',
+                'IMP_Search_Vfolder_Vtrash',
+            )));
         }
 
         if (empty($vfolders) || !is_array($vfolders)) {
@@ -577,7 +580,7 @@ protected function _upgradeStationeryToTemplates()
     {
         global $injector, $prefs;
 
-        $slist = @unserialize($prefs->getValue('stationery'));
+        $slist = @unserialize($prefs->getValue('stationery'), array('allowed_classes' => false));
         if (is_array($slist)) {
             /* Old entry format:
              * 'c' => (string) Content

diff --git a/lib/Prefs/Sort.php b/lib/Prefs/Sort.php
@@ -39,7 +39,7 @@ public function __construct()
     {
         global $prefs;
 
-        $sortpref = @unserialize($prefs->getValue(self::SORTPREF));
+        $sortpref = @unserialize($prefs->getValue(self::SORTPREF), array('allowed_classes' => false));
         if (is_array($sortpref)) {
             $this->_sortpref = $sortpref;
         }

diff --git a/lib/Remote.php b/lib/Remote.php
@@ -37,7 +37,9 @@ class IMP_Remote implements ArrayAccess, IteratorAggregate
      */
     public function __construct()
     {
-        $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote')) ?: array();
+        $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote'), array('allowed_classes' => array(
+            'IMP_Remote_Account',
+        ))) ?: array();
     }
 
     /**

diff --git a/lib/Search.php b/lib/Search.php
@@ -206,7 +206,15 @@ class_exists($cname)) {
         }
 
         if ($f_list = $GLOBALS['prefs']->getValue('filter')) {
-            $f_list = @unserialize($f_list);
+            $f_list = @unserialize($f_list, array('allowed_classes' => array(
+                'IMP_Search_Filter',
+                'IMP_Search_Filter_Personal',
+                'IMP_Search_Filter_Attachment',
+                'IMP_Search_Filter_Autogenerated',
+                'IMP_Search_Filter_Contacts',
+                'IMP_Search_Filter_Bulk',
+                'IMP_Search_Filter_Mailinglist',
+            )));
             if (is_array($f_list)) {
                 foreach ($f_list as $val) {
                     if ($val instanceof IMP_Search_Filter) {
@@ -296,7 +304,10 @@ class_exists($cname)) {
         }
 
         if ($pref_vf = $GLOBALS['prefs']->getValue('vfolder')) {
-            $pref_vf = @unserialize($pref_vf);
+            $pref_vf = @unserialize($pref_vf, array('allowed_classes' => array(
+                'IMP_Search_Vfolder_Vinbox',
+                'IMP_Search_Vfolder_Vtrash',
+            )));
             if (is_array($pref_vf)) {
                 foreach ($pref_vf as $val) {
                     if ($val instanceof IMP_Search_Vfolder) {