Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47860] - security: add allowed_classes to unserialize() in cache controllers and com_finder models

Pending

User tests: Successful: Unsuccessful:

avatar XananasX7
XananasX7
31 May 2026

Pull Request resolves #

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This PR adds allowed_classes to unserialize() calls in several Joomla cache controller and search components.

Affected locations:

  • libraries/src/Cache/Controller/ — PageController, OutputController, ViewCacheController, CallbackController
  • components/com_finder/src/Model/SearchModel.php — deserializes search state from session

Risk: Without allowed_classes, an attacker who can write to the cache backend or session can trigger PHP Object Injection. For file-based caches the risk requires filesystem write access, but for Redis/Memcached backends a compromised shared cache server is sufficient.

Fix: Restrict each unserialize() to only the specific classes legitimately stored in each location.

Testing Instructions

  1. Apply the patch.
  2. Test the page/output/view/callback cache scenarios work normally.
  3. Test com_finder search with filter state works normally.

Actual result BEFORE applying this Pull Request

unserialize() calls in cache controllers and com_finder have no class restrictions.

Expected result AFTER applying this Pull Request

unserialize() is restricted to only the expected classes at each call site.

Link to documentations

  • No documentation changes for guide.joomla.org needed
  • No documentation changes for manual.joomla.org needed
avatar XananasX7 XananasX7 - open - 31 May 2026
avatar XananasX7 XananasX7 - change - 31 May 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 31 May 2026
Category Administration com_finder Front End Libraries
avatar brianteeman
brianteeman - comment - 31 May 2026

There was a reason that you were given a template to complete when you submitted this PR. Please update your pr with the required information. You can find the template here https://github.com/joomla/joomla-cms/blob/5.4-dev/.github/PULL_REQUEST_TEMPLATE.md

In addition please read https://github.com/joomla/joomla-cms/security

avatar XananasX7 XananasX7 - change - 31 May 2026
The description was changed
avatar XananasX7 XananasX7 - edited - 31 May 2026
avatar XananasX7
XananasX7 - comment - 31 May 2026

Apologies @brianteeman — PR description has been updated with the full template including summary, testing instructions, before/after results, and documentation checkboxes.

Add a Comment

Login with GitHub to post a comment