Merge pull request from GHSA-699q-wcff-g9mj

samdark · web-flow · commit 9abccb96d7c5 · 2020-09-15T00:15:51.000+03:00
* Fix unsafe unserialize()

* Add changelog and comments on why unserialize() is disabled

* Add since tag
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.38 under development
 ------------------------
 
+- Bug: (CVE-2020-15148): Disable unserialization of `yii\db\BatchQueryResult` to prevent remote code execution in case application calls unserialize() on user input containing specially crafted string (samdark, russtone)
 - Enh #18213: Do not load fixtures with circular dependencies twice instead of throwing an exception (JesseHines0)
 - Bug #18066: Fix `yii\db\Query::create()` wasn't using all info from `withQuery()` (maximkou)
 - Bug #18269: Fix integer safe attribute to work properly in `yii\base\Model` (Ladone)
diff --git a/framework/db/BatchQueryResult.php b/framework/db/BatchQueryResult.php
@@ -223,4 +223,15 @@ private function getDbDriverName()
 
         return null;
     }
+
+    /**
+     * Unserialization is disabled to prevent remote code execution in case application
+     * calls unserialize() on user input containing specially crafted string.
+     * @see CVE-2020-15148
+     * @since 2.0.38
+     */
+    public function __wakeup()
+    {
+        throw new \BadMethodCallException('Cannot unserialize ' . __CLASS__);
+    }
 }
