In SA-CORE-2019-003 code below was introduced in MapItem.php and introduced a bug which throws fatal errors because of incomplete object which previously worked.

if (version_compare(PHP_VERSION, '7.0.0', '>=')) {
    $values = unserialize($values, ['allowed_classes' => FALSE]);
}
else {
  $values = unserialize($values);
}

if class is passed like for example in commerce logs.
https://www.drupal.org/forum/support/post-installation/2019-02-28/fatal-....

Returns fatal error like below.
Fatal error: method_exists(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "Drupal\Core\StringTranslation\TranslatableMarkup" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide an autoloader to load the class definition in ...

I think we can allow TranslateableMarkup here on the list of allowed classes as it is considered that
"Strings sanitized by t() are automatically marked safe" as listed here

This would solve issues below:
https://www.drupal.org/project/commerce/issues/3040333#comment-13022686
https://www.drupal.org/forum/support/post-installation/2019-02-28/fatal-....

Providing patch for this.

CommentFileSizeAuthor
#17 3045173-nr-bot.txt825 bytesneeds-review-queue-bot
#11 3045173-11.patch839 bytesmrinalini9
#8 3045173-8.patch839 bytesdsdeiz
mapitem_unserialize.patch917 bytesxsdx

Comments

xSDx created an issue. See original summary.

xsdx’s picture

xsdx commented
Issue summary: View changes
xsdx’s picture

xsdx commented
Status: Active » Needs review
agolubic’s picture

agolubic commented
Status: Needs review » Reviewed & tested by the community

@xSDx Thanks! Tested, patch is working and it resolve issue with Fatal error on commerce log (described in https://www.drupal.org/forum/support/post-installation/2019-02-28/fatal-...)

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs tests, +Needs security review

We'd need test coverage of this change to make sure it works and also to make sure we don't break it in the future. Also we need a security review to make sure this is inline with the security issue.

For what is is worth \Drupal\Core\StringTranslation\TranslatableMarkup::__sleep() looks like it makes TranslatableMarkup safe to serialise as only a string and couple of arrays are serialised - but this can get very complex quickly and needs to be thought about in depth.

I've pinged this issue in the private security channel and commented in the original security issue.

xjm’s picture

xjm
she/her
Primary language English
commented

I wonder if Commerce could refactor or extend MapItem to allow the class, instead of changing it in core? I think core should be as restrictive as possible by default as a principle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

dsdeiz’s picture

dsdeiz commented
StatusFileSize
new 3045173-8.patch839 bytes

Rerolling for 8.8.x.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

mrinalini9’s picture

mrinalini9 commented
Assigned: Unassigned » mrinalini9
mrinalini9’s picture

mrinalini9 commented
Assigned: mrinalini9 » Unassigned
Status: Needs work » Needs review
StatusFileSize
new 3045173-11.patch839 bytes

Rerolled patch to 9.1.x.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 3045173-nr-bot.txt825 bytes

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.