MAGETWO-45226: RCE Vulnerability

 - tighten serialized object detection regex

Author: Dale Sikkema

lib/internal/Magento/Framework/Unserialize/Test/Unit/UnserializeTest.php

@@ -25,12 +25,29 @@ public function testUnserializeArray()
     }
 
     /**
-     * @expectedException Exception
+     * @param string $serialized The string containing serialized object
+     *
+     * @expectedException \Exception
      * @expectedExceptionMessage String contains serialized object
+     * @dataProvider serializedObjectDataProvider
      */
-    public function testUnserializeObject()
+    public function testUnserializeObject($serialized)
     {
-        $serialized = 'a:2:{i:0;s:3:"foo";i:1;O:6:"Object":1:{s:11:"Objectvar";i:123;}}';
         $this->assertFalse($this->unserialize->unserialize($serialized));
     }
+
+    public function serializedObjectDataProvider()
+    {
+        return [
+            // Upper and lower case serialized object indicators, nested in array
+            ['a:2:{i:0;s:3:"foo";i:1;O:6:"Object":1:{s:11:"Objectvar";i:123;}}'],
+            ['a:2:{i:0;s:3:"foo";i:1;o:6:"Object":1:{s:11:"Objectvar";i:123;}}'],
+            ['a:2:{i:0;s:3:"foo";i:1;c:6:"Object":1:{s:11:"Objectvar";i:123;}}'],
+            ['a:2:{i:0;s:3:"foo";i:1;C:6:"Object":1:{s:11:"Objectvar";i:123;}}'],
+
+            // Positive, negative signs on object length, non-nested
+            ['o:+6:"Object":1:{s:11:"Objectvar";i:123;}'],
+            ['o:-6:"Object":1:{s:11:"Objectvar";i:123;}']
+        ];
+    }
 }

lib/internal/Magento/Framework/Unserialize/Unserialize.php

@@ -14,7 +14,7 @@ class Unserialize
      */
     public function unserialize($string)
     {
-        if (preg_match('/o:\d+:"[a-z0-9_]+":\d+:{.*?}/i', $string)) {
+        if (preg_match('/[oc]:[+\-]?\d+:"/i', $string)) {
             trigger_error('String contains serialized object');
             return false;
         }