CVE-2019-19826

An attacker sends a crafted HTTP POST request to a Drupal view that uses the Views Dynamic Fields module. The request includes a `field_names` (or `combined`) parameter containing a serialized PHP object, such as an `Archive_Tar` instance with a `_temp_tarname` property set to a target file path [ref_id=1]. When the module calls `unserialize()` on this input (lines 281, 483, or 567), the malicious object is instantiated, and upon destruction the `Archive_Tar::__destruct()` method deletes the specified file via `drupal_unlink()` [ref_id=1]. The attack requires network access to the Drupal site and the ability to submit exposed filter values, but no prior authentication is needed [ref_id=1].

The vulnerability resides in `handlers/views_handler_filter_dynamic_fields.inc` at three locations where user-supplied input is passed directly to PHP's `unserialize()` without sanitization: lines 281, 483, and 567 [ref_id=1]. The `$exposed_input['field_names']` and `$exposed_input['combined']` parameters are taken from HTTP POST data and unserialized, allowing an attacker to inject arbitrary PHP objects [ref_id=1].

No patch is published in the supplied bundle; the advisory notes the module is affected through version 7.x-1.0-alpha4 [ref_id=1]. The remediation would require replacing all three `unserialize()` calls with a safe alternative such as JSON decoding or strict input validation, and ensuring that user-supplied data is never passed to PHP's unserialize without sanitization [ref_id=1].

Send a POST request to a Drupal view that uses the Views Dynamic Fields exposed filter, including a `field_names` parameter with a serialized PHP object payload. For example, `field_names=a:1:{i:0;O:11:"Archive_Tar":1:{s:13:"_temp_tarname";s:9:"/tmp/test";}}` will delete the file `/tmp/test` on the server [ref_id=1].