Merge pull request #59979 from elicpeter/patch-1

artonge · web-flow · commit 421e4de7e526 · 2026-06-11T10:26:04.000+02:00
fix(repair): restrict unserialize() in RemoveBrokenProperties
diff --git a/lib/private/Repair/RemoveBrokenProperties.php b/lib/private/Repair/RemoveBrokenProperties.php
@@ -38,7 +38,7 @@ public function run(IOutput $output): void {
 		$brokenIds = [];
 		while ($entry = $result->fetch()) {
 			if (!empty($entry['propertyvalue'])) {
-				$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']));
+				$object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']), ['allowed_classes' => false]);
 				if ($object === false) {
 					$brokenIds[] = $entry['id'];
 				}

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ public function run(IOutput $output): void {`
`38`	`38`	`$brokenIds = [];`
`39`	`39`	`while ($entry = $result->fetch()) {`
`40`	`40`	`if (!empty($entry['propertyvalue'])) {`
`41`		`- $object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']));`
	`41`	`+ $object = @unserialize(str_replace('\x00', chr(0), $entry['propertyvalue']), ['allowed_classes' => false]);`
`42`	`42`	`if ($object === false) {`
`43`	`43`	`$brokenIds[] = $entry['id'];`
`44`	`44`	`}`