From 910982ce2a45542915d8bd843b4c69cc9d94088b Mon Sep 17 00:00:00 2001
From: Cerdic <cedric@yterium.com>
Date: Tue, 7 Mar 2023 15:03:08 +0100
Subject: [PATCH] =?UTF-8?q?security:=20Ameliorer=20c76770a=20en=20=C3=A9vi?=
 =?UTF-8?q?tant=20un=20`unserialize`=20dans=20l'=C3=A9cran=20de=20s=C3=A9c?=
 =?UTF-8?q?urit=C3=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6)
---
 config/ecran_securite.php | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/config/ecran_securite.php b/config/ecran_securite.php
index 4ff6917bbe..7a4e15357d 100644
--- a/config/ecran_securite.php
+++ b/config/ecran_securite.php
@@ -654,17 +654,41 @@ if (
 ) {
 	foreach ($_REQUEST as $k => $v) {
 		if (is_string($v)
-		  and strpos($v, ':') !== false
-		  and strpos($v, '"') !==false
-		  and preg_match(',[bidsaO]:,', $v)
-		  and @unserialize($v)) {
-			$_REQUEST[$k] = htmlentities($v);
+		  and strpbrk($v, "&\"'<>") !== false
+		  and preg_match(',^[abis]:\d+[:;],', $v)
+		  and __ecran_test_if_serialized($v)
+		) {
+			$_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES);
 			if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k];
 			if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k];
 		}
 	}
 }
-
+/**
+ * Version simplifiĂŠe de https://developer.wordpress.org/reference/functions/is_serialized/
+ */
+function __ecran_test_if_serialized($data) {
+	$data = trim($data);
+	if ('N;' === $data) {return true;}
+	if (strlen($data) < 4) {return false;}
+	if (':' !== $data[1]) {return false;}
+	$semicolon = strpos($data, ';');
+	$brace = strpos($data, '}');
+	// Either ; or } must exist.
+	if (false === $semicolon && false === $brace) {return false;}
+	// But neither must be in the first X characters.
+	if (false !== $semicolon && $semicolon < 3) {return false;}
+	if (false !== $brace && $brace < 4) {return false;}
+	$token = $data[0];
+	if (in_array($token, array('s', 'S'))) {
+		if (false === strpos($data, '"')) {return false;}
+	} elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
+		return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
+	} elseif (in_array($token, array('b', 'i', 'd'))) {
+		return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
+	}
+	return false;
+}
 
 /*
  * S'il y a une raison de mourir, mourons
-- 
GitLab