aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2023-12-17 19:30:05 +0100
committerHarald Eilertsen <haraldei@anduin.net>2023-12-17 19:30:05 +0100
commit9c184ddfd0e986af7bb99a45a3c7c8f1bf616035 (patch)
tree47499461f8622826cbd01aaeea84488673539aac /Zotlabs
parent69266cd6c65d228320dede32a343a9d3f3ea63df (diff)
downloadvolse-hubzilla-9c184ddfd0e986af7bb99a45a3c7c8f1bf616035.tar.gz
volse-hubzilla-9c184ddfd0e986af7bb99a45a3c7c8f1bf616035.tar.bz2
volse-hubzilla-9c184ddfd0e986af7bb99a45a3c7c8f1bf616035.zip
Fix deserialization of config values broken by 69266cd6.
This should fix issue #1828. This patch makes it explicit that we store arrays in the config as json encoded arrays, while we allow both json encoded and PHP serialized arrays to be deserialized correctly. Unless it's a brand new install, the existing data in the database will be PHP serialized. I've also added a hardening measure in case we fall back to PHP unserialize, making sure we're not vulnerable to a PHP Object Injection attack. This means that deserializing arrays containing PHP objects will no longer work, but afaict we never do that anyways, so I don't think that should break anything.
Diffstat (limited to 'Zotlabs')
-rw-r--r--Zotlabs/Lib/Config.php21
1 files changed, 15 insertions, 6 deletions
diff --git a/Zotlabs/Lib/Config.php b/Zotlabs/Lib/Config.php
index 40d5cc246..fa0abc892 100644
--- a/Zotlabs/Lib/Config.php
+++ b/Zotlabs/Lib/Config.php
@@ -72,7 +72,7 @@ class Config {
*/
public static function Set($family, $key, $value) {
// manage array value
- $dbvalue = ((is_array($value)) ? serialise($value) : $value);
+ $dbvalue = ((is_array($value)) ? 'json:' . json_encode($value) : $value);
$dbvalue = ((is_bool($dbvalue)) ? intval($dbvalue) : $dbvalue);
if (self::Get($family, $key) === false || (! self::get_from_storage($family, $key))) {
@@ -130,11 +130,20 @@ class Config {
return $default;
}
- return ((! is_array(App::$config[$family][$key])) && (preg_match('|^a:[0-9]+:{.*}$|s', App::$config[$family][$key]))
- ? unserialize(App::$config[$family][$key])
- : App::$config[$family][$key]
- );
-
+ $value = App::$config[$family][$key];
+
+ if (! is_array($value)) {
+ if (substr($value, 0, 5) == 'json:') {
+ return json_decode(substr($value, 5), true);
+ } else if (preg_match('|^a:[0-9]+:{.*}$|s', $value)) {
+ // Unserialize in inherently unsafe. Try to mitigate by not
+ // allowing unserializing objects. Only kept for backwards
+ // compatibility. JSON serialization should be prefered.
+ return unserialize($value, array('allowed_classes' => false));
+ } else {
+ return $value;
+ }
+ }
}
return $default;