Skip to content

fix(security): restrict unserialize allowed_classes (ZDI-20-1051)#47

Merged
ralflang merged 1 commit into
FRAMEWORK_6_0from
fix/deserialization-zdi-20-1051
May 27, 2026
Merged

fix(security): restrict unserialize allowed_classes (ZDI-20-1051)#47
ralflang merged 1 commit into
FRAMEWORK_6_0from
fix/deserialization-zdi-20-1051

Conversation

@ralflang

Copy link
Copy Markdown
Member

Summary

Follow-up to horde/imp#7

  • All bare @unserialize() calls on prefs data now pass allowed_classes restrictions
  • Pure data prefs (fb_cals, display_cals, remote_cals, show_location, show_time, event_alarms, calendar display prefs) use allowed_classes => false to prevent object instantiation
  • Kronolith_Attendee_List::unserialize() whitelists only Kronolith_Attendee
  • Kronolith_Attendee::unserialize() restricted to data-only (its serialized form is a plain array)

Follow-up to horde/imp#7

Deserialization restricted to data-only (allowed_classes => false) for:
fb_cals, display_cals, remote_cals, show_location, show_time,
event_alarms, calendar display prefs.

Kronolith_Attendee_List allows only Kronolith_Attendee objects.
Kronolith_Attendee::unserialize() restricted to data-only.
@ralflang

Copy link
Copy Markdown
Member Author

ZDI-20-1051 related PRs across the Horde ecosystem

Repo PR Title
imp #7 Deserialization of untrusted data (original report)
imp #56 restrict unserialize allowed_classes
turba #58 restrict unserialize allowed_classes
kronolith #47 restrict unserialize allowed_classes
nag #26 restrict unserialize allowed_classes
mnemo #21 restrict unserialize allowed_classes
ingo #29 restrict unserialize allowed_classes
Core #129 restrict unserialize allowed_classes
base #98 restrict unserialize allowed_classes
Prefs #6 restrict unserialize allowed_classes
Prefs #5 Harden Horde_Prefs_Identity against unexpected prefs values (merged)
ActiveSync #21 Modern __serialize()/__unserialize() for Folder classes (merged)
ActiveSync #25 Refactor unserialize calls to use _unserializeState (merged)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant