TheRON/core
1
0
Fork 0
mirror of https://framagit.org/hubzilla/core.git synced 2026-06-21 00:52:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

only unserialis(z)e if we deal with a string

Browse Source
This commit is contained in:
Mario
2025-11-14 18:34:25 +00:00
parent 6ced694b53
commit d48c9ce562
1 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Zotlabs/Lib/IConfig.php
View File

@@ -35,13 +35,15 @@ class IConfig {
if(is_array($item) && array_key_exists('iconfig',$item) && is_array($item['iconfig'])) {
foreach($item['iconfig'] as $c) {
if (isset($c['iid']) && $c['iid'] == $iid && isset($c['cat']) && $c['cat'] == $family && isset($c['k']) && $c['k'] == $key) {
if (str_starts_with($c['v'], 'json:')) {
$c['v'] = unserialise($c['v']);
} else if (preg_match('|^a:[0-9]+:{.*}$|s', $c['v'])) {
// Unserialize in inherently unsafe. Try to mitigate by not
// allowing unserializing objects. Only kept for backwards
// compatibility. JSON serialization should be prefered.
$c['v'] = unserialize($c['v'], ['allowed_classes' => false]);
if (is_string($c['v'])) {
if (str_starts_with($c['v'], 'json:')) {
$c['v'] = unserialise($c['v']);
} else if (preg_match('|^a:[0-9]+:{.*}$|s', $c['v'])) {
// Unserialize in inherently unsafe. Try to mitigate by not
// allowing unserializing objects. Only kept for backwards
// compatibility. JSON serialization should be prefered.
$c['v'] = unserialize($c['v'], ['allowed_classes' => false]);
}
}
return $c['v'];