diff options
| author | Mario <mario@mariovavti.com> | 2018-11-25 10:22:09 +0100 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2018-11-25 10:22:09 +0100 |
| commit | e5883dd60536c3ba35a7569d61c3bc19a7ebc3e1 (patch) | |
| tree | 451470ad28935a5074fe82ad268a6ac96d638e13 | |
| parent | 9bbd6ff67d80354288fc6058f85eb672d8d32348 (diff) | |
| parent | 6b02c664fb9444d66322605c408bb791457ee0b5 (diff) | |
| download | volse-hubzilla-e5883dd60536c3ba35a7569d61c3bc19a7ebc3e1.tar.gz volse-hubzilla-e5883dd60536c3ba35a7569d61c3bc19a7ebc3e1.tar.bz2 volse-hubzilla-e5883dd60536c3ba35a7569d61c3bc19a7ebc3e1.zip | |
Merge branch 'patch-20181120a' into 'dev'
Do not store serialized pconfig value received via to Module/Pconfig.php
See merge request hubzilla/core!1402
| -rw-r--r-- | Zotlabs/Module/Pconfig.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Zotlabs/Module/Pconfig.php b/Zotlabs/Module/Pconfig.php index 44fe5d9a9..f31d5fdf6 100644 --- a/Zotlabs/Module/Pconfig.php +++ b/Zotlabs/Module/Pconfig.php @@ -22,6 +22,11 @@ class Pconfig extends \Zotlabs\Web\Controller { $k = trim(escape_tags($_POST['k'])); $v = trim($_POST['v']); $aj = intval($_POST['aj']); + + // Do not store "serialized" data received in the $_POST + if (preg_match('|^a:[0-9]+:{.*}$|s',$v) || preg_match('O:8:"stdClass":[0-9]+:{.*}$|s',$v)) { + return; + } if(in_array(argv(2),$this->disallowed_pconfig())) { notice( t('This setting requires special processing and editing has been blocked.') . EOL); |