Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: Phalon\Logger\Adapter\* remove serialization #15638

Closed
niden opened this issue Sep 3, 2021 · 1 comment · Fixed by #15639
Closed

[BUG]: Phalon\Logger\Adapter\* remove serialization #15638

niden opened this issue Sep 3, 2021 · 1 comment · Fixed by #15639
Assignees
@niden
Labels
5.0 The issues we want to solve in the 5.0 release bug A bug report status: high High

Comments

@niden
Copy link
Member

niden commented Sep 3, 2021
edited
Loading

When a Logger adapter is destroyed, it will call commit to ensure that any pending messages while in transactional mode are written in the log file.

This introduces potentially a security threat, for applications that utilize serializing or unserializing objects such as the logger.

The logger adapters will have the serialize/unserialize functionality removed.

Credit: Zach Leigh, who contacted us with this vulnerability. The example is an edge case and has a few prerequisites so as to expose the vulnerability, but for an abundance of caution, we are issuing this fix.
@niden niden added bug A bug report status: high High 5.0 The issues we want to solve in the 5.0 release labels Sep 3, 2021
@niden niden self-assigned this Sep 3, 2021
@niden niden mentioned this issue Sep 3, 2021
Merged
5 tasks
@niden niden linked a pull request Sep 3, 2021 that will close this issue
T15638 logger adapter serialize 5 #15639
Merged
5 tasks
@niden
Copy link
Member Author

niden commented Sep 5, 2021

Resolved in #15639

@niden niden closed this as completed Sep 5, 2021
@niden niden added this to Phalcon v5 Aug 25, 2022
@niden niden moved this to Released in Phalcon v5 Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@niden niden

Labels
5.0 The issues we want to solve in the 5.0 release bug A bug report status: high High
Projects
Phalcon v5
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

T15638 logger adapter serialize 5
1 participant
@niden