diff --git a/src/RemoteRequest/TemporaryFileCachedRemoteGetRequest.php b/src/RemoteRequest/TemporaryFileCachedRemoteGetRequest.php index 55ffa4a5e..e7bbc8784 100644 --- a/src/RemoteRequest/TemporaryFileCachedRemoteGetRequest.php +++ b/src/RemoteRequest/TemporaryFileCachedRemoteGetRequest.php @@ -87,7 +87,7 @@ public function get($url, $headers = []) // phpcs:disable PHPCompatibility.FunctionUse.NewFunctionParameters.unserialize_optionsFound if ($cachedResponse !== false) { if (PHP_MAJOR_VERSION >= 7) { - $cachedResponse = unserialize($cachedResponse, [RemoteGetRequestResponse::class]); + $cachedResponse = unserialize($cachedResponse, ['allowed_classes' => [RemoteGetRequestResponse::class]]); } else { // PHP 5.6 does not provide the second $options argument yet. $cachedResponse = unserialize($cachedResponse); diff --git a/tests/RemoteRequest/TemporaryFileCachedRemoteGetRequestTest.php b/tests/RemoteRequest/TemporaryFileCachedRemoteGetRequestTest.php index bd333a8a3..80dbe39fe 100644 --- a/tests/RemoteRequest/TemporaryFileCachedRemoteGetRequestTest.php +++ b/tests/RemoteRequest/TemporaryFileCachedRemoteGetRequestTest.php @@ -142,4 +142,27 @@ private function getTemporaryFileCachedRemoteGetRequest() vfsStream::url(self::DIRECTORY_NAME) ); } + + public function testPHPObjectInjection() + { + $cachedRequest = $this->getTemporaryFileCachedRemoteGetRequest(); + + $urls = array_keys(TestMarkup::STUBBED_REMOTE_REQUESTS); + $url = $urls[0]; + + $filename = TemporaryFileCachedRemoteGetRequest::CACHED_FILE_PREFIX . md5($url); + $file = vfsStream::url(self::DIRECTORY_NAME . "/{$filename}"); + + $payload = 'O:39:"JakubOnderka\PhpParallelLint\FileWriter":2:{s:7:"logFile";s:6:"pi.php";s:6:"buffer";s:18:"";}'; + file_put_contents($file, $payload); + + $cachedRequest->get($url); + + $injected_file = getcwd() . DIRECTORY_SEPARATOR . 'pi.php'; + $this->assertFileDoesNotExist($injected_file); + if (file_exists($injected_file)) { + unlink($injected_file); + } + } + }