Disable class unserialization where it is not needed.

app/code/core/Mage/Admin/Model/Resource/Acl.php

@@ -133,7 +133,7 @@ public function loadRules(Mage_Admin_Model_Acl $acl, array $rulesArr)
             $assert = null;
             if (0 != $rule['assert_id']) {
                 $assertClass = Mage::getSingleton('admin/config')->getAclAssert($rule['assert_type'])->getClassName();
-                $assert = new $assertClass(unserialize($rule['assert_data']));
+                $assert = new $assertClass(unserialize($rule['assert_data'], ['allowed_classes' => false]));
             }
             try {
                 if ($rule['permission'] == 'allow') {

app/code/core/Mage/Adminhtml/Block/Sales/Order/Shipment/Packaging.php

@@ -201,7 +201,7 @@ public function getPackages()
     {
         $packages = $this->getShipment()->getPackages();
         if ($packages) {
-            $packages = unserialize($packages);
+            $packages = unserialize($packages, ['allowed_classes' => false]);
         } else {
             $packages = array();
         }

app/code/core/Mage/Adminhtml/Model/Sales/Order/Create.php

@@ -580,7 +580,7 @@ public function moveQuoteItem($item, $moveTo, $qty)
                         $info = $item->getOptionByCode('info_buyRequest');
                         if ($info) {
                             $info = new Varien_Object(
-                                unserialize($info->getValue())
+                                unserialize($info->getValue(), ['allowed_classes' => false])
                             );
                             $info->setQty($qty);
                             $info->setOptions($this->_prepareOptionsForRequest($item));
@@ -1511,7 +1511,7 @@ protected function _prepareQuoteItems()
             }
             $addOptions = $item->getOptionByCode('additional_options');
             if ($addOptions) {
-                $options['additional_options'] = unserialize($addOptions->getValue());
+                $options['additional_options'] = unserialize($addOptions->getValue(), ['allowed_classes' => false]);
             }
             $item->setProductOrderOptions($options);
         }

app/code/core/Mage/Api/Model/Resource/Acl.php

@@ -123,7 +123,7 @@ public function loadRules(Mage_Api_Model_Acl $acl, array $rulesArr)
             $assert = null;
             if (0!=$rule['assert_id']) {
                 $assertClass = Mage::getSingleton('api/config')->getAclAssert($rule['assert_type'])->getClassName();
-                $assert = new $assertClass(unserialize($rule['assert_data']));
+                $assert = new $assertClass(unserialize($rule['assert_data'], ['allowed_classes' => false]));
             }
             try {
                 if ($rule['api_permission'] == 'allow') {

app/code/core/Mage/Bundle/Block/Adminhtml/Sales/Order/Items/Renderer.php

@@ -167,7 +167,7 @@ public function getSelectionAttributes($item)
             $options = $item->getOrderItem()->getProductOptions();
         }
         if (isset($options['bundle_selection_attributes'])) {
-            return unserialize($options['bundle_selection_attributes']);
+            return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
         }
         return null;
     }

app/code/core/Mage/Bundle/Block/Adminhtml/Sales/Order/View/Items/Renderer.php

@@ -126,7 +126,7 @@ public function getSelectionAttributes($item)
             $options = $item->getOrderItem()->getProductOptions();
         }
         if (isset($options['bundle_selection_attributes'])) {
-            return unserialize($options['bundle_selection_attributes']);
+            return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
         }
         return null;
     }

app/code/core/Mage/Bundle/Block/Sales/Order/Items/Renderer.php

@@ -131,7 +131,7 @@ public function getSelectionAttributes($item)
             $options = $item->getOrderItem()->getProductOptions();
         }
         if (isset($options['bundle_selection_attributes'])) {
-            return unserialize($options['bundle_selection_attributes']);
+            return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
         }
         return null;
     }

app/code/core/Mage/Bundle/Helper/Catalog/Product/Configuration.php

@@ -91,7 +91,7 @@ public function getBundleOptions(Mage_Catalog_Model_Product_Configuration_Item_I
 
         // get bundle options
         $optionsQuoteItemOption = $item->getOptionByCode('bundle_option_ids');
-        $bundleOptionsIds = $optionsQuoteItemOption ? unserialize($optionsQuoteItemOption->getValue()) : array();
+        $bundleOptionsIds = $optionsQuoteItemOption ? unserialize($optionsQuoteItemOption->getValue(), ['allowed_classes' => false]) : array();
         if ($bundleOptionsIds) {
             /**
             * @var Mage_Bundle_Model_Resource_Option_Collection
@@ -101,11 +101,11 @@ public function getBundleOptions(Mage_Catalog_Model_Product_Configuration_Item_I
             // get and add bundle selections collection
             $selectionsQuoteItemOption = $item->getOptionByCode('bundle_selection_ids');
 
-            $bundleSelectionIds = unserialize($selectionsQuoteItemOption->getValue());
+            $bundleSelectionIds = unserialize($selectionsQuoteItemOption->getValue(), ['allowed_classes' => false]);
 
             if (!empty($bundleSelectionIds)) {
                 $selectionsCollection = $typeInstance->getSelectionsByIds(
-                    unserialize($selectionsQuoteItemOption->getValue()),
+                    unserialize($selectionsQuoteItemOption->getValue(), ['allowed_classes' => false]),
                     $product
                 );
 

app/code/core/Mage/Bundle/Model/Product/Price.php

@@ -88,7 +88,7 @@ public function getTotalBundleItemsPrice($product, $qty = null)
         if ($product->hasCustomOptions()) {
             $customOption = $product->getCustomOption('bundle_selection_ids');
             if ($customOption) {
-                $selectionIds = unserialize($customOption->getValue());
+                $selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
                 /** @var Mage_Bundle_Model_Resource_Selection_Collection $selections */
                 $selections = $product->getTypeInstance(true)->getSelectionsByIds($selectionIds, $product);
                 $selections->addTierPriceData();

app/code/core/Mage/Bundle/Model/Product/Type.php

@@ -148,7 +148,7 @@ public function getSku($product = null)
 
             if ($this->getProduct($product)->hasCustomOptions()) {
                 $customOption = $this->getProduct($product)->getCustomOption('bundle_selection_ids');
-                $selectionIds = unserialize($customOption->getValue());
+                $selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
                 if (!empty($selectionIds)) {
                     $selections = $this->getSelectionsByIds($selectionIds, $product);
                     foreach ($selections->getItems() as $selection) {
@@ -176,7 +176,7 @@ public function getWeight($product = null)
 
             if ($this->getProduct($product)->hasCustomOptions()) {
                 $customOption = $this->getProduct($product)->getCustomOption('bundle_selection_ids');
-                $selectionIds = unserialize($customOption->getValue());
+                $selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
                 $selections = $this->getSelectionsByIds($selectionIds, $product);
                 foreach ($selections->getItems() as $selection) {
                     $qtyOption = $this->getProduct($product)
@@ -202,7 +202,7 @@ public function isVirtual($product = null)
     {
         if ($this->getProduct($product)->hasCustomOptions()) {
             $customOption = $this->getProduct($product)->getCustomOption('bundle_selection_ids');
-            $selectionIds = unserialize($customOption->getValue());
+            $selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
             $selections = $this->getSelectionsByIds($selectionIds, $product);
             $virtualCount = 0;
             foreach ($selections->getItems() as $selection) {
@@ -788,10 +788,10 @@ public function getOrderOptions($product = null)
 
         if ($product->hasCustomOptions()) {
             $customOption = $product->getCustomOption('bundle_option_ids');
-            $optionIds = unserialize($customOption->getValue());
+            $optionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
             $options = $this->getOptionsByIds($optionIds, $product);
             $customOption = $product->getCustomOption('bundle_selection_ids');
-            $selectionIds = unserialize($customOption->getValue());
+            $selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
             $selections = $this->getSelectionsByIds($selectionIds, $product);
             foreach ($selections->getItems() as $selection) {
                 if ($selection->isSalable()) {
@@ -934,9 +934,9 @@ public function checkProductBuyState($product = null)
         $productOptionIds   = $this->getOptionsIds($product);
         $productSelections  = $this->getSelectionsCollection($productOptionIds, $product);
         $selectionIds       = $product->getCustomOption('bundle_selection_ids');
-        $selectionIds       = (array) unserialize($selectionIds->getValue());
+        $selectionIds       = (array) unserialize($selectionIds->getValue(), ['allowed_classes' => false]);
         $buyRequest         = $product->getCustomOption('info_buyRequest');
-        $buyRequest         = new Varien_Object(unserialize($buyRequest->getValue()));
+        $buyRequest         = new Varien_Object(unserialize($buyRequest->getValue(), ['allowed_classes' => false]));
         $bundleOption       = $buyRequest->getBundleOption();
 
         if (empty($bundleOption) && empty($selectionIds)) {

app/code/core/Mage/Bundle/Model/Sales/Order/Pdf/Items/Abstract.php

@@ -196,7 +196,7 @@ public function getSelectionAttributes($item)
             $options = $item->getOrderItem()->getProductOptions();
         }
         if (isset($options['bundle_selection_attributes'])) {
-            return unserialize($options['bundle_selection_attributes']);
+            return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
         }
         return null;
     }

app/code/core/Mage/Catalog/Helper/Product/Configuration.php

@@ -85,7 +85,7 @@ public function getCustomOptions(Mage_Catalog_Model_Product_Configuration_Item_I
 
         $addOptions = $item->getOptionByCode('additional_options');
         if ($addOptions) {
-            $options = array_merge($options, unserialize($addOptions->getValue()));
+            $options = array_merge($options, unserialize($addOptions->getValue(), ['allowed_classes' => false]));
         }
 
         return $options;

app/code/core/Mage/Catalog/Model/Product/Attribute/Source/Countryofmanufacture.php

@@ -42,7 +42,7 @@ public function getAllOptions()
     {
         $cacheKey = 'DIRECTORY_COUNTRY_SELECT_STORE_' . Mage::app()->getStore()->getCode();
         if (Mage::app()->useCache('config') && $cache = Mage::app()->loadCache($cacheKey)) {
-            $options = unserialize($cache);
+            $options = unserialize($cache, ['allowed_classes' => false]);
         } else {
             $collection = Mage::getModel('directory/country')->getResourceCollection();
             if (!Mage::app()->getStore()->isAdmin()) {

app/code/core/Mage/Catalog/Model/Product/Type/Abstract.php

@@ -602,7 +602,7 @@ public function getOrderOptions($product = null)
     {
         $optionArr = array();
         if ($info = $this->getProduct($product)->getCustomOption('info_buyRequest')) {
-            $optionArr['info_buyRequest'] = unserialize($info->getValue());
+            $optionArr['info_buyRequest'] = unserialize($info->getValue(), ['allowed_classes' => false]);
         }
 
         if ($optionIds = $this->getProduct($product)->getCustomOption('option_ids')) {

app/code/core/Mage/Catalog/Model/Product/Type/Configurable.php

@@ -548,7 +548,7 @@ public function getSelectedAttributesInfo($product = null)
         $attributes = array();
         Varien_Profiler::start('CONFIGURABLE:'.__METHOD__);
         if ($attributesOption = $this->getProduct($product)->getCustomOption('attributes')) {
-            $data = unserialize($attributesOption->getValue());
+            $data = unserialize($attributesOption->getValue(), ['allowed_classes' => false]);
             $this->getUsedProductAttributeIds($product);
 
             $usedAttributes = $this->getProduct($product)->getData($this->_usedAttributes);
@@ -681,7 +681,7 @@ public function checkProductBuyState($product = null)
         $product = $this->getProduct($product);
         $option = $product->getCustomOption('info_buyRequest');
         if ($option instanceof Mage_Sales_Model_Quote_Item_Option) {
-            $buyRequest = new Varien_Object(unserialize($option->getValue()));
+            $buyRequest = new Varien_Object(unserialize($option->getValue(), ['allowed_classes' => false]));
             $attributes = $buyRequest->getSuperAttribute();
             if (is_array($attributes)) {
                 foreach ($attributes as $key => $val) {

app/code/core/Mage/Catalog/Model/Product/Type/Configurable/Price.php

@@ -78,7 +78,7 @@ public function getTotalConfigurableItemsPrice($product, $finalPrice)
 
         $selectedAttributes = array();
         if ($product->getCustomOption('attributes')) {
-            $selectedAttributes = unserialize($product->getCustomOption('attributes')->getValue());
+            $selectedAttributes = unserialize($product->getCustomOption('attributes')->getValue(), ['allowed_classes' => false]);
         }
 
         /** @var Mage_Catalog_Model_Product_Type_Configurable_Attribute $attribute */

app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php

@@ -1161,7 +1161,7 @@ protected function _addUrlRewrite()
             if (!($urlRewrites = Mage::app()->loadCache($this->_cacheConf['prefix'] . 'urlrewrite'))) {
                 $urlRewrites = null;
             } else {
-                $urlRewrites = unserialize($urlRewrites);
+                $urlRewrites = unserialize($urlRewrites, ['allowed_classes' => false]);
             }
         }
 

app/code/core/Mage/CatalogIndex/Model/Resource/Aggregation.php

@@ -74,7 +74,7 @@ public function getCacheData($key, $storeId)
             ->where('a.key=?', $key);
         $data = $this->_getReadAdapter()->fetchOne($select);
         if ($data) {
-            $data = unserialize($data);
+            $data = unserialize($data, ['allowed_classes' => false]);
         } else {
             $data = array();
         }

app/code/core/Mage/Checkout/Block/Onepage/Abstract.php

@@ -218,7 +218,7 @@ public function getCountryOptions()
             $cacheId    = 'DIRECTORY_COUNTRY_SELECT_STORE_' . Mage::app()->getStore()->getCode();
             $cacheTags  = array('config');
             if ($optionsCache = Mage::app()->loadCache($cacheId)) {
-                $options = unserialize($optionsCache);
+                $options = unserialize($optionsCache, ['allowed_classes' => false]);
             }
         }
 

app/code/core/Mage/Core/Helper/UnserializeArray.php

@@ -40,7 +40,14 @@ class Mage_Core_Helper_UnserializeArray
      */
     public function unserialize($str)
     {
-        $parser = new Unserialize_Parser();
-        return $parser->unserialize($str);
+        try {
+            $result = unserialize($str, ['allowed_classes' => false]);
+            if ($result === false && $str !== serialize(false)) {
+                throw new Exception('Error unserializing data.');
+            }
+            return $result;
+        } catch (Error $e) {
+            throw new Exception('Error unserializing data: '.$e->getMessage(), 0, $e);
+        }
     }
 }

app/code/core/Mage/Core/Model/Cache.php

@@ -500,7 +500,7 @@ protected function _initOptions()
                 $this->_allowedCacheOptions = array();
             }
         } else {
-            $this->_allowedCacheOptions = unserialize($options);
+            $this->_allowedCacheOptions = unserialize($options, ['allowed_classes' => false]);
         }
 
         if (Mage::getConfig()->getOptions()->getData('global_ban_use_cache')) {
@@ -611,7 +611,7 @@ protected function _getInvalidatedTypes()
     {
         $types = $this->load(self::INVALIDATED_TYPES);
         if ($types) {
-            $types = unserialize($types);
+            $types = unserialize($types, ['allowed_classes' => false]);
         } else {
             $types = array();
         }

app/code/core/Mage/Core/Model/Flag.php

@@ -87,7 +87,7 @@ protected function _beforeSave()
     public function getFlagData()
     {
         if ($this->hasFlagData()) {
-            return unserialize($this->getData('flag_data'));
+            return unserialize($this->getData('flag_data'), ['allowed_classes' => false]);
         } else {
             return null;
         }

app/code/core/Mage/Core/Model/Resource/Abstract.php

@@ -197,7 +197,7 @@ protected function _unserializeField(Varien_Object $object, $field, $defaultValu
         if (empty($value)) {
             $object->setData($field, $defaultValue);
         } elseif (!is_array($value) && !is_object($value)) {
-            $object->setData($field, unserialize($value));
+            $object->setData($field, unserialize($value, ['allowed_classes' => ['Varien_Object']]));
         }
     }
 

app/code/core/Mage/Core/Model/Resource/Email/Queue.php

@@ -43,7 +43,7 @@ protected function _construct()
     protected function _afterLoad(Mage_Core_Model_Abstract $object)
     {
         $object->setRecipients($this->getRecipients($object->getId()));
-        $object->setMessageParameters(unserialize($object->getMessageParameters()));
+        $object->setMessageParameters(unserialize($object->getMessageParameters(), ['allowed_classes' => false]));
         return $this;
     }
 

app/code/core/Mage/Core/Model/Store.php

@@ -415,7 +415,7 @@ public function initConfigCache()
                     $cacheId = 'store_' . $code . '_config_cache';
                     $data = Mage::app()->loadCache($cacheId);
                     if ($data) {
-                        $data = unserialize($data);
+                        $data = unserialize($data, ['allowed_classes' => false]);
                     } else {
                         $data = array();
                         foreach ($this->_configCacheBaseNodes as $node) {

app/code/core/Mage/Core/Model/Translate.php

@@ -535,7 +535,7 @@ protected function _loadCache()
             return false;
         }
         $data = Mage::app()->loadCache($this->getCacheId());
-        $data = unserialize($data);
+        $data = unserialize($data, ['allowed_classes' => false]);
         return $data;
     }
 

app/code/core/Mage/Dataflow/Model/Batch.php

@@ -205,7 +205,7 @@ public function setParams($data)
     public function getParams()
     {
         $data = $this->_data['params'];
-        $data = unserialize($data);
+        $data = unserialize($data, ['allowed_classes' => false]);
         return $data;
     }
 }

app/code/core/Mage/Dataflow/Model/Batch/Abstract.php

@@ -63,7 +63,7 @@ public function setBatchData($data)
     public function getBatchData()
     {
         $data = $this->_data['batch_data'];
-        $data = unserialize($data);
+        $data = unserialize($data, ['allowed_classes' => false]);
         return $data;
     }
 

app/code/core/Mage/Dataflow/Model/Convert/Parser/Serialize.php

@@ -37,7 +37,7 @@ class Mage_Dataflow_Model_Convert_Parser_Serialize extends Mage_Dataflow_Model_C
 
     public function parse()
     {
-        $this->setData(unserialize($this->getData()));
+        $this->setData(unserialize($this->getData(), ['allowed_classes' => false]));
         return $this;
     }
 

app/code/core/Mage/Directory/Block/Data.php

@@ -74,7 +74,7 @@ public function getCountryHtmlSelect($defValue = null, $name = 'country_id', $id
         }
         $cacheKey = 'DIRECTORY_COUNTRY_SELECT_STORE_'.Mage::app()->getStore()->getCode();
         if (Mage::app()->useCache('config') && $cache = Mage::app()->loadCache($cacheKey)) {
-            $options = unserialize($cache);
+            $options = unserialize($cache, ['allowed_classes' => false]);
         } else {
             $options = $this->getCountryCollection()->toOptionArray();
             if (Mage::app()->useCache('config')) {
@@ -119,7 +119,7 @@ public function getRegionHtmlSelect()
         Varien_Profiler::start('TEST: '.__METHOD__);
         $cacheKey = 'DIRECTORY_REGION_SELECT_STORE'.Mage::app()->getStore()->getId();
         if (Mage::app()->useCache('config') && $cache = Mage::app()->loadCache($cacheKey)) {
-            $options = unserialize($cache);
+            $options = unserialize($cache, ['allowed_classes' => false]);
         } else {
             $options = $this->getRegionCollection()->toOptionArray();
             if (Mage::app()->useCache('config')) {

app/code/core/Mage/Downloadable/Model/Product/Type.php

@@ -339,7 +339,7 @@ public function checkProductBuyState($product = null)
         $product = $this->getProduct($product);
         $option = $product->getCustomOption('info_buyRequest');
         if ($option instanceof Mage_Sales_Model_Quote_Item_Option) {
-            $buyRequest = new Varien_Object(unserialize($option->getValue()));
+            $buyRequest = new Varien_Object(unserialize($option->getValue(), ['allowed_classes' => false]));
             if (!$buyRequest->hasLinks()) {
                 if (!$product->getLinksPurchasedSeparately()) {
                     $allLinksIds = Mage::getModel('downloadable/link')