Skip to content
Snippets Groups Projects
Commit 11a44110 authored by Joshua Sedler's avatar Joshua Sedler :cartwheel_tone2:
Browse files

Issue #3271162: Potential security risk using "unserialize" without limited allowed classes

parent 5e138a69
No related branches found
Tags 2.1.0-beta0
No related merge requests found
This diff is collapsed.
......@@ -17,8 +17,5 @@ micon.micon.*:
type: string
label: 'Type'
archive:
type: sequence
type: string
label: 'Archive'
sequence:
type: string
label: 'Archive content'
......@@ -2,4 +2,4 @@ name: Micon
description: 'An IcoMoon-based icon manager for Drupal.'
package: Micon
type: module
core_version_requirement: ^8 || ^9
core_version_requirement: ^9
<?php
/**
* @file
* Standard installation functions for micon.
*/
/**
* Upgrade to new storage format.
*/
function micon_update_8001() {
$entities = \Drupal::entityTypeManager()
->getStorage('micon')
->loadMultiple();
foreach ($entities as $entity) {
$data = implode('', $entity->get('archive'));
$zip_archive = unserialize(gzuncompress(stripslashes(base64_decode(strtr($data, '-_,', '+/=')))), ['allowed_classes' => FALSE]);
$entity->set('archive', $zip_archive);
$entity->save();
}
drupal_flush_all_caches();
}
......@@ -179,17 +179,15 @@ class Micon extends ConfigEntityBase implements MiconInterface {
* {@inheritdoc}
*/
public function setArchive($zip_path) {
$data = strtr(base64_encode(addslashes(gzcompress(serialize(file_get_contents($zip_path)), 9))), '+/=', '-_,');
$parts = str_split($data, 200000);
$this->set('archive', $parts);
$data = file_get_contents($zip_path);
$this->set('archive', $data);
}
/**
* {@inheritdoc}
*/
public function getArchive() {
$data = implode('', $this->get('archive'));
return unserialize(gzuncompress(stripslashes(base64_decode(strtr($data, '-_,', '+/=')))));
return $this->get('archive');
}
/**
......@@ -268,7 +266,7 @@ class Micon extends ConfigEntityBase implements MiconInterface {
}
/**
* Take base64 encoded archive and save it to a temporary file for extraction.
* Take archive and save it to a temporary file for extraction.
*/
protected function archiveDecode() {
$data = $this->getArchive();
......@@ -293,14 +291,22 @@ class Micon extends ConfigEntityBase implements MiconInterface {
}
$directory = $this->getDirectory();
$file_system->deleteRecursive($directory);
if (is_dir($directory)) {
$file_system->deleteRecursive($directory);
}
$file_system->prepareDirectory($directory, FileSystemInterface::CREATE_DIRECTORY | FileSystemInterface::MODIFY_PERMISSIONS);
$archiver->extract($directory);
// Remove unnecessary files.
$file_system->deleteRecursive($directory . '/demo-files');
$file_system->deleteRecursive($directory . '/demo.html');
$file_system->delete($directory . '/Read Me.txt');
if (is_dir($directory . '/demo-files')) {
$file_system->deleteRecursive($directory . '/demo-files');
}
if (file_exists($directory . '/demo.html')) {
$file_system->delete($directory . '/demo.html');
}
if (file_exists($directory . '/Read Me.txt')) {
$file_system->delete($directory . '/Read Me.txt');
}
// Set package type to svg.
if (file_exists($directory . '/symbol-defs.svg')) {
......@@ -355,6 +361,8 @@ class Micon extends ConfigEntityBase implements MiconInterface {
// becoming m-icon-icon.
$file_contents = str_replace('MICON', $this->id() . '-', $file_contents);
file_put_contents($file_path, $file_contents);
drupal_flush_all_caches();
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment