Remote code execution vulnerability

[deenrookie]

Hi, this is Tencent Xcheck team. Our code safety check tool Xcheck has found several unserialize vulnerabilities in this project（v4, v5, v6）. It leads to remote code execution. Here are the details.

v6

1. app/admin/controller/api/Update.php
   line: 46 $this->rules = unserialize($this->request->post('rules', 'a:0:{}', ''));
   line: 47 $this->ignore = unserialize($this->request->post('ignore', 'a:0:{}', ''));

v6 v5 v4
2. app/wechat/controller/api/Push.php
line: 102 $this->receive = $this->toLower(unserialize($this->request->post('receive', '', null)));

Prevent from abusing of this vulnerability, we don't provide proof of concept. We hope to repair it as soon as possible.

From Xcheck Team

[zoujingli]

ThinkAdmin V6 接口的序列化数据全部改成了 JSON
更新方式：
composer update 更新 vendor 中的 think-library
php think xadmin:install admin 更新 admin 模块
php think xadmin:install wechat 更新 wechat 模块