Unsafe deserialization in Yii 2

2020-09-15T18:19:56
ID GHSA-699Q-WCFF-G9MJ
Type github
Reporter GitHub Advisory Database
Modified 2020-09-15T18:19:56

Description

Impact

Remote code execution in case application calls unserialize() on user input containing specially crafted string.

Patches

2.0.38

Workarounds

Add the following to BatchQueryResult.php:

```php public function sleep() { throw new \BadMethodCallException('Cannot serialize '.__CLASS); }

public function wakeup() { throw new \BadMethodCallException('Cannot unserialize '.__CLASS); } ```

For more information

If you have any questions or comments about this advisory, contact us through security form.