From 809c94f9691fdbfe416efbc6960bcbd4f64c780d Mon Sep 17 00:00:00 2001
From: KiloClaw <bot@kiloclaw.ai>
Date: Sun, 31 May 2026 03:48:35 +0000
Subject: [PATCH] Security: add allowed_classes to
 Form::getSessionValidationResult() unserialize()

Form::getSessionValidationResult() deserializes a ValidationResult object
stored in the user session without restricting allowed_classes. Since PHP
session data can be influenced by an attacker (e.g. session fixation,
session storage compromise, or a separate injection bug), this creates a
PHP Object Injection (POI) vector where an attacker can craft a serialized
payload containing arbitrary class instances.

The deserialized value is always expected to be a ValidationResult, so add
an explicit allowed_classes allowlist:

    unserialize($resultData, ['allowed_classes' => [ValidationResult::class]])

This limits instantiation to only the expected class, preventing exploitation
via gadget chains even if an attacker controls the session content.
---
 src/Forms/Form.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Forms/Form.php b/src/Forms/Form.php
index 1c62887369b..d271d701d6d 100644
--- a/src/Forms/Form.php
+++ b/src/Forms/Form.php
@@ -502,7 +502,7 @@ public function getSessionValidationResult()
     {
         $resultData = $this->getSession()->get("FormInfo.{$this->FormName()}.result");
         if (isset($resultData)) {
-            return unserialize($resultData ?? '');
+            return unserialize($resultData ?? '', ['allowed_classes' => [ValidationResult::class]]);
         }
         return null;
     }