Merge pull request from GHSA-442f-wcwq-fpcf

marcovtwout · web-flow · commit ed67b7cc5721 · 2022-11-21T14:48:12.000+01:00
Fix for CVE-2022-41922
diff --git a/CHANGELOG b/CHANGELOG
@@ -5,6 +5,7 @@ Version 1.1.27 under development
 --------------------------------
 
 - Bug: PHP 8.1 compatibility: Fix CFileCache call of file_get_contents (Bregi)
+- Bug: CVE-2022-41922. Prevent RCE when deserializing untrusted user input (fi3wey, marcovtwout)
 
 Version 1.1.26 September 30, 2022
 --------------------------------
diff --git a/framework/db/schema/CDbCriteria.php b/framework/db/schema/CDbCriteria.php
@@ -168,18 +168,21 @@ public function __wakeup()
 	{
 		$map=array();
 		$params=array();
-		foreach($this->params as $name=>$value)
+		if(is_array($this->params))
 		{
-			if(strpos($name,self::PARAM_PREFIX)===0)
+			foreach($this->params as $name=>$value)
 			{
-				$newName=self::PARAM_PREFIX.self::$paramCount++;
-				$map[$name]=$newName;
-			}
-			else
-			{
-				$newName=$name;
+				if(strpos($name,self::PARAM_PREFIX)===0)
+				{
+					$newName=self::PARAM_PREFIX.self::$paramCount++;
+					$map[$name]=$newName;
+				}
+				else
+				{
+					$newName=$name;
+				}
+				$params[$newName]=$value;
 			}
-			$params[$newName]=$value;
 		}
 		if (!empty($map))
 		{

Original file line number	Diff line number	Diff line change
`@@ -168,18 +168,21 @@ public function __wakeup()`
`168`	`168`	`{`
`169`	`169`	`$map=array();`
`170`	`170`	`$params=array();`
`171`		`- foreach($this->params as $name=>$value)`
	`171`	`+ if(is_array($this->params))`
`172`	`172`	`{`
`173`		`- if(strpos($name,self::PARAM_PREFIX)===0)`
	`173`	`+ foreach($this->params as $name=>$value)`
`174`	`174`	`{`
`175`		`- $newName=self::PARAM_PREFIX.self::$paramCount++;`
`176`		`- $map[$name]=$newName;`
`177`		`- }`
`178`		`- else`
`179`		`- {`
`180`		`- $newName=$name;`
	`175`	`+ if(strpos($name,self::PARAM_PREFIX)===0)`
	`176`	`+ {`
	`177`	`+ $newName=self::PARAM_PREFIX.self::$paramCount++;`
	`178`	`+ $map[$name]=$newName;`
	`179`	`+ }`
	`180`	`+ else`
	`181`	`+ {`
	`182`	`+ $newName=$name;`
	`183`	`+ }`
	`184`	`+ $params[$newName]=$value;`
`181`	`185`	`}`
`182`		`- $params[$newName]=$value;`
`183`	`186`	`}`
`184`	`187`	`if (!empty($map))`
`185`	`188`	`{`