[SECURITY] Mitigate deserialization flaws

Introduce serializer infrastructure to block PHP object injection
gadgets during deserialization:

* DenyListDeserializer: runtime guard that rejects any payload
  referencing a gadget class before deserialization proceeds.
  The per-class deny/allow decision is resolved lazily via
  ReflectionClass at first encounter, then cached in cache:core
  signed with HMAC so that reflection is never repeated for the
  same class within a cache lifetime. A gadget class is one with a
  user-defined __destruct() or an exploitable __wakeup() (i.e. one
  not provided solely by BlockSerializationTrait).

* AuthenticatedMessageDeserializer: signs payloads with HMAC
  on write and validates the HMAC on read, preventing
  adversarially crafted deserialization payloads.

Two complementary strategies are applied:

VariableFrontend (cache frontend) uses
AuthenticatedMessageDeserializer: caches are temporary and written
exclusively by the server, so HMAC authentication provides a strong
integrity guarantee. All classes are allowed after a successful HMAC
check. Legacy cache entries without an HMAC that contain no class
tokens are still deserialized safely with allowed_classes=false;
those with class tokens are discarded and treated as a transparent
cache miss.

Registry (sys_registry) uses DenyListDeserializer: long-lived
persisted data requires a denylist strategy (block known-bad, allow
unknown) to avoid breaking changes to existing stored values.

Where only scalar values are serialized (Scheduler task executions,
last-failure data, non-cacheable cObj data in RequestHandler),
unserialize() is hardened directly with allowed_classes=false.

Resolves: #108604
Releases: main, 14.3, 13.4
Change-Id: Ie3284eba4937b28be98c4d0f83d1d2f85ce963b5
Security-Bulletin: TYPO3-CORE-SA-2026-018
Security-References: CVE-2026-49740
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94428
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

typo3/sysext/core/Classes/Cache/Backend/FileBackend.php

@@ -40,7 +40,7 @@ class FileBackend extends SimpleFileBackend implements FreezableBackendInterface
     protected $cacheEntryFileExtension = '';
 
     /**
-     * @var array
+     * @var array<string, true>
      */
     protected $cacheEntryIdentifiers = [];
 
@@ -107,7 +107,10 @@ public function setCache(FrontendInterface $cache)
         parent::setCache($cache);
         if (file_exists($this->cacheDirectory . 'FrozenCache.data')) {
             $this->frozen = true;
-            $this->cacheEntryIdentifiers = unserialize((string)file_get_contents($this->cacheDirectory . 'FrozenCache.data'));
+            $this->cacheEntryIdentifiers = unserialize(
+                (string)file_get_contents($this->cacheDirectory . 'FrozenCache.data'),
+                ['allowed_classes' => false]
+            );
         }
     }
 

typo3/sysext/core/Classes/Cache/Frontend/VariableFrontend.php

@@ -16,6 +16,10 @@
 namespace TYPO3\CMS\Core\Cache\Frontend;
 
 use TYPO3\CMS\Core\Cache\Backend\TransientBackendInterface;
+use TYPO3\CMS\Core\Crypto\HashService;
+use TYPO3\CMS\Core\Serializer\AuthenticatedMessageDeserializer;
+use TYPO3\CMS\Core\Serializer\DeserializationService;
+use TYPO3\CMS\Core\Serializer\Exception\DeserializerException;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
@@ -57,7 +61,9 @@ public function set($entryIdentifier, $variable, array $tags = [], $lifetime = n
             GeneralUtility::callUserFunction($_funcRef, $params, $this);
         }
         if (!$this->backend instanceof TransientBackendInterface) {
-            $variable = serialize($variable);
+            // No DI/GeneralUtility::makeInstance usage, since caching needs to operate prior to DI container setup.
+            $deserializer = new AuthenticatedMessageDeserializer(new HashService(), new DeserializationService());
+            $variable = $deserializer->serialize($variable, VariableFrontend::class);
         }
         $this->backend->set($entryIdentifier, $variable, $tags, $lifetime);
     }
@@ -82,6 +88,15 @@ public function get($entryIdentifier)
         if ($rawResult === false) {
             return false;
         }
-        return $this->backend instanceof TransientBackendInterface ? $rawResult : unserialize($rawResult);
+        if ($this->backend instanceof TransientBackendInterface) {
+            return $rawResult;
+        }
+        try {
+            // No DI/GeneralUtility::makeInstance usage, since caching needs to operate prior to DI container setup.
+            $deserializer = new AuthenticatedMessageDeserializer(new HashService(), new DeserializationService());
+            return $deserializer->deserialize($rawResult, VariableFrontend::class);
+        } catch (DeserializerException) {
+            return false;
+        }
     }
 }

typo3/sysext/core/Classes/Registry.php

@@ -17,6 +17,7 @@
 
 use TYPO3\CMS\Core\Database\Connection;
 use TYPO3\CMS\Core\Database\ConnectionPool;
+use TYPO3\CMS\Core\Serializer\DenyListDeserializer;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
@@ -41,6 +42,7 @@ class Registry implements SingletonInterface
      */
     protected $loadedNamespaces = [];
 
+    public function __construct(protected readonly DenyListDeserializer $deserializer) {}
     /**
      * Returns a persistent entry.
      *
@@ -169,7 +171,7 @@ protected function loadEntriesByNamespace($namespace)
                 ['entry_namespace' => $namespace]
             );
         while ($row = $result->fetchAssociative()) {
-            $this->entries[$namespace][$row['entry_key']] = unserialize($row['entry_value']);
+            $this->entries[$namespace][$row['entry_key']] = $this->deserializer->deserialize($row['entry_value']);
         }
         $this->loadedNamespaces[$namespace] = true;
     }

typo3/sysext/core/Classes/Resource/ProcessedFile.php

@@ -17,6 +17,7 @@
 
 namespace TYPO3\CMS\Core\Resource;
 
+use TYPO3\CMS\Core\Imaging\ImageManipulation\Area;
 use TYPO3\CMS\Core\Resource\Processing\TaskTypeRegistry;
 use TYPO3\CMS\Core\Resource\Service\ConfigurationService;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
@@ -120,8 +121,7 @@ public function __construct(File $originalFile, string $taskType, array $process
     protected function reconstituteFromDatabaseRecord(array $databaseRow): void
     {
         $this->taskType = $this->taskType ?: $databaseRow['task_type'];
-        // @todo In case the original configuration contained file objects the reconstitution fails. See ConfigurationService->serialize()
-        $this->processingConfiguration = $this->processingConfiguration ?: (array)unserialize($databaseRow['configuration'] ?? '');
+        $this->processingConfiguration = $this->processingConfiguration ?: (array)unserialize($databaseRow['configuration'] ?? '', ['allowed_classes' => [Area::class]]);
 
         $this->originalFileSha1 = $databaseRow['originalfilesha1'];
         $this->identifier = $databaseRow['identifier'];

typo3/sysext/core/Classes/Serializer/AuthenticatedMessageDeserializer.php

@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Serializer;
+
+use Symfony\Component\DependencyInjection\Attribute\Autoconfigure;
+use TYPO3\CMS\Core\Crypto\HashService;
+use TYPO3\CMS\Core\Exception\Crypto\InvalidHashStringException;
+use TYPO3\CMS\Core\Serializer\Exception\DeserializerException;
+
+/**
+ * @internal Only to be used by TYPO3 core
+ */
+#[Autoconfigure(public: true)]
+final readonly class AuthenticatedMessageDeserializer
+{
+    public function __construct(
+        private HashService $hashService,
+        private DeserializationService $deserializationService,
+    ) {}
+
+    public function serialize(mixed $payload, string $additionalSecret): string
+    {
+        return $this->hashService->appendHmac(
+            serialize($payload),
+            $additionalSecret
+        );
+    }
+
+    public function deserialize(string $payload, string $additionalSecret): mixed
+    {
+        try {
+            $serialized = $this->hashService->validateAndStripHmac(
+                $payload,
+                $additionalSecret
+            );
+        } catch (InvalidHashStringException $e) {
+            $classNames = $this->deserializationService->parseClassNames($payload);
+            // in case the payload does not contain any class names, continue with
+            // a secure deserialization attempt, not allowing any class names
+            if ($classNames === []) {
+                return unserialize($payload, ['allowed_classes' => false]);
+            }
+            throw new DeserializerException(
+                'Authenticated Message Deserialization failed',
+                1780317744,
+                $e
+            );
+        }
+        // explicitly allowing all classes here after successful HMAC validation
+        return unserialize($serialized, ['allowed_classes' => true]);
+    }
+}

typo3/sysext/core/Classes/Serializer/DenyListDeserializer.php

@@ -0,0 +1,167 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Serializer;
+
+use Symfony\Component\DependencyInjection\Attribute\Autoconfigure;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use TYPO3\CMS\Core\Cache\Frontend\PhpFrontend;
+use TYPO3\CMS\Core\Crypto\HashService;
+use TYPO3\CMS\Core\Security\BlockSerializationTrait;
+use TYPO3\CMS\Core\Serializer\Exception\DeserializerException;
+
+/**
+ * Deserializes a PHP-serialized payload while refusing any class that carries
+ * a user-defined __destruct() or an exploitable __wakeup() (one not provided
+ * solely by BlockSerializationTrait).
+ *
+ * The per-class deny/allow decision is made lazily via ReflectionClass at the
+ * first encounter of each class name, then cached in cache:core so that
+ * reflection is never repeated for the same class within a cache lifetime.
+ *
+ * Use this instead of a raw unserialize() call when the set of expected classes
+ * is not known upfront but dangerous gadget classes must still be excluded.
+ *
+ * @internal Only to be used by TYPO3 core
+ */
+#[Autoconfigure(public: true)]
+final readonly class DenyListDeserializer
+{
+    /**
+     * @var list<string>
+     */
+    private array $allowedClassNames;
+    private \ReflectionMethod $blockSerializationWakeup;
+
+    public function __construct(
+        #[Autowire(service: 'cache.core')]
+        private PhpFrontend $cache,
+        private HashService $hashService,
+        private DeserializationService $deserializationService,
+    ) {
+        $allowedClassNames = $GLOBALS['TYPO3_CONF_VARS']['SYS']['deserialization']['allowedClassNames'] ?? null;
+        $this->allowedClassNames = is_array($allowedClassNames) ? $allowedClassNames : [];
+        $this->blockSerializationWakeup = (new \ReflectionClass(BlockSerializationTrait::class))->getMethod('__wakeup');
+    }
+
+    /**
+     * Deserializes $payload, throwing DeserializerException if any class name
+     * found in the payload is a deserialization gadget, or if the payload is
+     * syntactically malformed.
+     */
+    public function deserialize(string $payload): mixed
+    {
+        $classNames = $this->deserializationService->parseClassNames($payload);
+        foreach ($classNames as $className) {
+            if ($this->shallClassBeDenied($className)) {
+                throw new DeserializerException(
+                    'Denied class name "' . $className . '" found in payload',
+                    1778594101
+                );
+            }
+        }
+
+        return $this->deserializationService->deserialize($payload, $classNames ?: false);
+    }
+
+    private function shallClassBeDenied(string $className): bool
+    {
+        if (in_array($className, $this->allowedClassNames, true)) {
+            return false;
+        }
+
+        $cacheKey = 'DenyListDeserializer_' . hash('xxh128', $className);
+        if ($this->cache->has($cacheKey)) {
+            $entry = $this->cache->require($cacheKey);
+            if (is_array($entry)
+                && isset($entry['denied'], $entry['hmac'])
+                && $this->hashService->validateHmac(
+                    $this->createHmacPayload($className, (bool)$entry['denied']),
+                    DenyListDeserializer::class,
+                    $entry['hmac']
+                )
+            ) {
+                return (bool)$entry['denied'];
+            }
+            // Tampered or stale entry — fall through to recompute
+        }
+
+        $denied = $this->resolveClassDenyStatus($className);
+        $hmac = $this->hashService->hmac($this->createHmacPayload($className, $denied), DenyListDeserializer::class);
+        $this->cache->set($cacheKey, 'return ' . var_export(['denied' => $denied, 'hmac' => $hmac], true) . ';');
+        return $denied;
+    }
+
+    private function createHmacPayload(string $className, bool $denied): string
+    {
+        return $className . ':' . ($denied ? '1' : '0');
+    }
+
+    private function resolveClassDenyStatus(string $className): bool
+    {
+        try {
+            $rc = new \ReflectionClass($className);
+        } catch (\ReflectionException) {
+            // The class does not exist or cannot be reflected (and not instantiated).
+            // Thus, the class is allowed, since it cannot be a gadget and would
+            // result in a `__PHP_Incomplete_Class` during deserialization.
+            return false;
+        }
+        if ($rc->isInterface() || $rc->isTrait()) {
+            return false;
+        }
+        return $this->getUserDefinedMethod($rc, '__destruct') !== null
+            || $this->hasDeniableWakeupMethod($rc);
+    }
+
+    /**
+     * Returns the method when $methodName is declared in user-defined (non-internal) code
+     * somewhere in the class hierarchy. This excludes methods like Exception::__wakeup()
+     * that PHP declares internally and that are harmless for deserialization purposes.
+     */
+    private function getUserDefinedMethod(\ReflectionClass $rc, string $methodName): ?\ReflectionMethod
+    {
+        if (!$rc->hasMethod($methodName)) {
+            return null;
+        }
+        $method = $rc->getMethod($methodName);
+        if ($method->getDeclaringClass()->isInternal()) {
+            return null;
+        }
+        return $method;
+    }
+
+    /**
+     * Returns true when the class has a user-defined __wakeup() that is NOT
+     * BlockSerializationTrait::__wakeup(). Classes whose only __wakeup comes
+     * from BlockSerializationTrait are already protected against deserialization
+     * (the trait throws unconditionally) and must not be treated as gadgets.
+     *
+     * Note: for trait methods getDeclaringClass() returns the using class, not the
+     * trait — so the origin is identified by comparing the method's source file and line
+     * against the trait's own __wakeup declaration.
+     */
+    private function hasDeniableWakeupMethod(\ReflectionClass $rc): bool
+    {
+        $method = $this->getUserDefinedMethod($rc, '__wakeup');
+        if ($method === null) {
+            return false;
+        }
+        return $method->getFileName() !== $this->blockSerializationWakeup->getFileName()
+            || $method->getStartLine() !== $this->blockSerializationWakeup->getStartLine();
+    }
+}

typo3/sysext/core/Classes/ServiceProvider.php

@@ -465,7 +465,16 @@ public static function getPackageDependentCacheIdentifier(ContainerInterface $co
 
     public static function getRegistry(ContainerInterface $container): Registry
     {
-        return self::new($container, Registry::class);
+        $denyListDeserializer = $container->has(Serializer\DenyListDeserializer::class)
+            ? $container->get(Serializer\DenyListDeserializer::class)
+            : new Serializer\DenyListDeserializer(
+                $container->get('cache.core'),
+                $container->get(HashService::class),
+                new Serializer\DeserializationService(),
+            );
+        return self::new($container, Registry::class, [
+            $denyListDeserializer,
+        ]);
     }
 
     public static function getFileIndexRepository(ContainerInterface $container): Resource\Index\FileIndexRepository

typo3/sysext/core/Configuration/DefaultConfiguration.php

@@ -174,6 +174,12 @@
                 ],
             ],
         ],
+        'deserialization' => [
+            // List of class names that are allowed to be deserialized even if they carry
+            // __destruct() or __wakeup() and would otherwise be blocked. Use this to
+            // explicitly permit classes that have been reviewed and are known to be safe.
+            'allowedClassNames' => [],
+        ],
         'caching' => [
             'cacheConfigurations' => [
                 // The core cache is is for core php code only and must