From 6c70a2e6414bb696d8c723dd281d2206242f9295 Mon Sep 17 00:00:00 2001
From: Marco van 't Wout <marco@tremani.nl>
Date: Mon, 13 Nov 2023 17:50:52 +0100
Subject: [PATCH 1/5] Fix for CVE-2023-47130

---
 framework/db/schema/CDbCriteria.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/framework/db/schema/CDbCriteria.php b/framework/db/schema/CDbCriteria.php
index febc199a88..7b5be9c151 100644
--- a/framework/db/schema/CDbCriteria.php
+++ b/framework/db/schema/CDbCriteria.php
@@ -198,8 +198,9 @@ public function __wakeup()
 			{
 				if(is_array($this->$field))
 					foreach($this->$field as $k=>$v)
-						$this->{$field}[$k]=strtr($v,$map);
-				else
+						if (is_string($this->{$field}[$k]))
+							$this->{$field}[$k]=strtr($v,$map);
+				elseif(is_string($this->$field))
 					$this->$field=strtr($this->$field,$map);
 			}
 		}

From ac880320d6a076f5024b50d54395b2ff93319dda Mon Sep 17 00:00:00 2001
From: Marco van 't Wout <marco@tremani.nl>
Date: Mon, 13 Nov 2023 17:51:22 +0100
Subject: [PATCH 2/5] Improve formatting

---
 framework/db/schema/CDbCriteria.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/framework/db/schema/CDbCriteria.php b/framework/db/schema/CDbCriteria.php
index 7b5be9c151..9b3dcb51c0 100644
--- a/framework/db/schema/CDbCriteria.php
+++ b/framework/db/schema/CDbCriteria.php
@@ -197,11 +197,17 @@ public function __wakeup()
 			foreach($sqlContentFieldNames as $field)
 			{
 				if(is_array($this->$field))
+				{
 					foreach($this->$field as $k=>$v)
+					{
 						if (is_string($this->{$field}[$k]))
 							$this->{$field}[$k]=strtr($v,$map);
+					}
+				}
 				elseif(is_string($this->$field))
+				{
 					$this->$field=strtr($this->$field,$map);
+				}
 			}
 		}
 		$this->params=$params;

From 3719f5d89dcac781df2d11b7e34c02d868279ed4 Mon Sep 17 00:00:00 2001
From: Marco van 't Wout <marco@tremani.nl>
Date: Mon, 13 Nov 2023 17:52:41 +0100
Subject: [PATCH 3/5] Update CHANGELOG

---
 CHANGELOG | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG b/CHANGELOG
index d82c62930f..ebd8239bc8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ Version 1.1.29 under development
 
 - Bug #4516: PHP 8 compatibility: Allow union types and intersection types in action declarations (wtommyw)
 - Bug #4523: Fixed translated in Greek class messages in framework requirements view, which they should not be translated (lourdas)
+- Bug: CVE-2023-47130. Prevent RCE when deserializing untrusted user input (ma4ter222, marcovtwout)
 - Enh #4529: Exceptions thrown while loading fixture file rows now contain more details (eduardor2k)
 
 Version 1.1.28 February 28, 2023

From a113037dc35b92e2d6e445ead6c4e6e70082fb11 Mon Sep 17 00:00:00 2001
From: Marco van 't Wout <marco@tremani.nl>
Date: Tue, 14 Nov 2023 08:48:16 +0100
Subject: [PATCH 4/5] Change is_string to is_scalar to accept more argument
 types even though string is documented (SELECT 1 (integer) is a common
 plausible example)

---
 framework/db/schema/CDbCriteria.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/framework/db/schema/CDbCriteria.php b/framework/db/schema/CDbCriteria.php
index 9b3dcb51c0..29bd7ddd4d 100644
--- a/framework/db/schema/CDbCriteria.php
+++ b/framework/db/schema/CDbCriteria.php
@@ -200,11 +200,11 @@ public function __wakeup()
 				{
 					foreach($this->$field as $k=>$v)
 					{
-						if (is_string($this->{$field}[$k]))
+						if (is_scalar($this->{$field}[$k]))
 							$this->{$field}[$k]=strtr($v,$map);
 					}
 				}
-				elseif(is_string($this->$field))
+				elseif(is_scalar($this->$field))
 				{
 					$this->$field=strtr($this->$field,$map);
 				}

From d687882f09b494908f472343174de8503f4205af Mon Sep 17 00:00:00 2001
From: Marco van 't Wout <marco@tremani.nl>
Date: Tue, 14 Nov 2023 10:13:37 +0100
Subject: [PATCH 5/5] FIX: Check the proper value

---
 framework/db/schema/CDbCriteria.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework/db/schema/CDbCriteria.php b/framework/db/schema/CDbCriteria.php
index 29bd7ddd4d..6b90f04d80 100644
--- a/framework/db/schema/CDbCriteria.php
+++ b/framework/db/schema/CDbCriteria.php
@@ -200,7 +200,7 @@ public function __wakeup()
 				{
 					foreach($this->$field as $k=>$v)
 					{
-						if (is_scalar($this->{$field}[$k]))
+						if (is_scalar($v))
 							$this->{$field}[$k]=strtr($v,$map);
 					}
 				}