From 6b02c664fb9444d66322605c408bb791457ee0b5 Mon Sep 17 00:00:00 2001
From: "M. Dent" <dentm42@gmail.com>
Date: Sun, 25 Nov 2018 10:22:09 +0100
Subject: Do not store serialized pconfig value received via  to
 Module/Pconfig.php

---
 Zotlabs/Module/Pconfig.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Zotlabs/Module/Pconfig.php b/Zotlabs/Module/Pconfig.php
index 44fe5d9a9..f31d5fdf6 100644
--- a/Zotlabs/Module/Pconfig.php
+++ b/Zotlabs/Module/Pconfig.php
@@ -22,6 +22,11 @@ class Pconfig extends \Zotlabs\Web\Controller {
 		$k = trim(escape_tags($_POST['k']));
 		$v = trim($_POST['v']);
 		$aj = intval($_POST['aj']);
+
+		// Do not store "serialized" data received in the $_POST
+		if (preg_match('|^a:[0-9]+:{.*}$|s',$v) || preg_match('O:8:"stdClass":[0-9]+:{.*}$|s',$v)) {
+			return;
+		}
 	
 		if(in_array(argv(2),$this->disallowed_pconfig())) {
 			notice( t('This setting requires special processing and editing has been blocked.') . EOL);
-- 
cgit v1.2.3