From b56a4a96ca33abd5145c915b178e5985ade1fa16 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Mon, 4 Mar 2019 16:05:06 -0800
Subject: [PATCH] Harden against serialization vulnerabilities (#46)

---
 CRM/Utils/AutoClean.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/CRM/Utils/AutoClean.php b/CRM/Utils/AutoClean.php
index 558ca34adb..c2c21dc184 100644
--- a/CRM/Utils/AutoClean.php
+++ b/CRM/Utils/AutoClean.php
@@ -102,4 +102,24 @@ class CRM_Utils_AutoClean {
     \Civi\Core\Resolver::singleton()->call($this->callback, $this->args);
   }
 
+  /**
+   * Prohibit (de)serialization of CRM_Utils_AutoClean.
+   *
+   * The generic nature of AutoClean makes it a potential target for escalating
+   * serialization vulnerabilities, and there's no good reason for serializing it.
+   */
+  public function __sleep() {
+    throw new \RuntimeException("CRM_Utils_AutoClean is a runtime helper. It is not intended for serialization.");
+  }
+
+  /**
+   * Prohibit (de)serialization of CRM_Utils_AutoClean.
+   *
+   * The generic nature of AutoClean makes it a potential target for escalating
+   * serialization vulnerabilities, and there's no good reason for deserializing it.
+   */
+  public function __wakeup() {
+    throw new \RuntimeException("CRM_Utils_AutoClean is a runtime helper. It is not intended for deserialization.");
+  }
+
 }
-- 
2.25.1