diff options
| author | M. Dent <dentm42@gmail.com> | 2018-11-25 09:22:09 +0000 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2018-12-02 10:15:55 +0100 |
| commit | 3b42bd43abcf70c97c070328e07aad45f85a8945 (patch) | |
| tree | 270aa46e5f179ee1cdfc4a337822dea5d066b503 | |
| parent | a151532ffaf55fa1bc0017d9a83cd21c2f885828 (diff) | |
| download | volse-hubzilla-3b42bd43abcf70c97c070328e07aad45f85a8945.tar.gz volse-hubzilla-3b42bd43abcf70c97c070328e07aad45f85a8945.tar.bz2 volse-hubzilla-3b42bd43abcf70c97c070328e07aad45f85a8945.zip | |
Do not store serialized pconfig value received via to Module/Pconfig.php
(cherry picked from commit 6b02c664fb9444d66322605c408bb791457ee0b5)
| -rw-r--r-- | Zotlabs/Module/Pconfig.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Zotlabs/Module/Pconfig.php b/Zotlabs/Module/Pconfig.php index 7c82bac7d..bf8e32dff 100644 --- a/Zotlabs/Module/Pconfig.php +++ b/Zotlabs/Module/Pconfig.php @@ -22,6 +22,11 @@ class Pconfig extends \Zotlabs\Web\Controller { $k = trim(escape_tags($_POST['k'])); $v = trim($_POST['v']); $aj = intval($_POST['aj']); + + // Do not store "serialized" data received in the $_POST + if (preg_match('|^a:[0-9]+:{.*}$|s',$v) || preg_match('O:8:"stdClass":[0-9]+:{.*}$|s',$v)) { + return; + } if(in_array(argv(2),$this->disallowed_pconfig())) { notice( t('This setting requires special processing and editing has been blocked.') . EOL); |