From 9d2389f5b09763e39e49616e5271f17bed27e0df Mon Sep 17 00:00:00 2001 From: Bogdan Date: Mon, 22 Jun 2026 22:52:29 +0200 Subject: [PATCH] Fix PHP Object Injection vulnerability in Entity ArrayCast --- system/Entity/Cast/ArrayCast.php | 2 +- tests/system/Entity/Cast/ArrayCastTest.php | 34 ++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 tests/system/Entity/Cast/ArrayCastTest.php diff --git a/system/Entity/Cast/ArrayCast.php b/system/Entity/Cast/ArrayCast.php index 6860b41416b6..3c9f224c51c4 100644 --- a/system/Entity/Cast/ArrayCast.php +++ b/system/Entity/Cast/ArrayCast.php @@ -18,7 +18,7 @@ class ArrayCast extends BaseCast public static function get($value, array $params = []): array { if (is_string($value) && (str_starts_with($value, 'a:') || str_starts_with($value, 's:'))) { - $value = unserialize($value); + $value = unserialize($value, ['allowed_classes' => false]); } return (array) $value; diff --git a/tests/system/Entity/Cast/ArrayCastTest.php b/tests/system/Entity/Cast/ArrayCastTest.php new file mode 100644 index 000000000000..7dfb4375a60b --- /dev/null +++ b/tests/system/Entity/Cast/ArrayCastTest.php @@ -0,0 +1,34 @@ + + * + * For the full copyright and license information, please view + * the LICENSE file that was distributed with this source code. + */ + +namespace CodeIgniter\Entity\Cast; + +use CodeIgniter\Test\CIUnitTestCase; +use PHPUnit\Framework\Attributes\Group; +use stdClass; + +/** + * @internal + */ +#[Group('Others')] +final class ArrayCastTest extends CIUnitTestCase +{ + public function testGetPreventsObjectInjection(): void + { + $payload = serialize([new stdClass()]); + + $result = ArrayCast::get($payload); + + $this->assertInstanceOf('__PHP_Incomplete_Class', $result[0]); + } +}