Skip to content
Snippets Groups Projects

Issue #3391461: Harden the use of unserialize in InlineBlock via allowed classes

Open Issue #3391461: Harden the use of unserialize in InlineBlock via allowed classes
issue/drupal-3391461:3391461-harden-the-use into 11.x
2 unresolved threads
Open Lee Rowlands requested to merge issue/drupal-3391461:3391461-harden-the-use into 11.x
2 unresolved threads
Compare
and
2 files
+ 146
2
Compare changes
  • Side-by-side
  • Inline
Files
2
core/modules/layout_builder/src/Plugin/Block/InlineBlock.php
+ 17
2
@@ -4,6 +4,7 @@
@@ -4,6 +4,7 @@
use Drupal\block_content\Access\RefinableDependentAccessInterface;
use Drupal\block_content\Access\RefinableDependentAccessInterface;
use Drupal\block_content\Access\RefinableDependentAccessTrait;
use Drupal\block_content\Access\RefinableDependentAccessTrait;
 
use Drupal\Component\Plugin\PluginBase;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\NestedArray;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Block\Attribute\Block;
use Drupal\Core\Block\Attribute\Block;
@@ -221,6 +222,20 @@ public function build() {
@@ -221,6 +222,20 @@ public function build() {
return $this->entityTypeManager->getViewBuilder($block->getEntityTypeId())->view($block, $this->configuration['view_mode']);
return $this->entityTypeManager->getViewBuilder($block->getEntityTypeId())->view($block, $this->configuration['view_mode']);
}
}
 
/**
 
* Return the unserialized version of the block_serialized configuration.
 
*
 
* @return mixed
 
* Result of unserialize() function.
 
*/
 
protected function getUnserializedBlock(): mixed {
 
$base_class = $this->entityTypeManager->getDefinition('block_content')->getClass();
 
[, $bundle] = explode(PluginBase::DERIVATIVE_SEPARATOR, $this->getPluginId());
 
$bundle_class = $this->entityTypeManager->getStorage('block_content')->getEntityClass($bundle);
 
 
return unserialize($this->configuration['block_serialized'], ['allowed_classes' => [$base_class, $bundle_class]]);
 
}
 
/**
/**
* Loads or creates the block content entity of the block.
* Loads or creates the block content entity of the block.
*
*
@@ -230,7 +245,7 @@ public function build() {
@@ -230,7 +245,7 @@ public function build() {
protected function getEntity() {
protected function getEntity() {
if (!isset($this->blockContent)) {
if (!isset($this->blockContent)) {
if (!empty($this->configuration['block_serialized'])) {
if (!empty($this->configuration['block_serialized'])) {
$this->blockContent = unserialize($this->configuration['block_serialized']);
$this->blockContent = $this->getUnserializedBlock();
}
}
elseif (!empty($this->configuration['block_revision_id'])) {
elseif (!empty($this->configuration['block_revision_id'])) {
$entity = $this->entityTypeManager->getStorage('block_content')->loadRevision($this->configuration['block_revision_id']);
$entity = $this->entityTypeManager->getStorage('block_content')->loadRevision($this->configuration['block_revision_id']);
@@ -274,7 +289,7 @@ public function saveBlockContent($new_revision = FALSE, $duplicate_block = FALSE
@@ -274,7 +289,7 @@ public function saveBlockContent($new_revision = FALSE, $duplicate_block = FALSE
/** @var \Drupal\block_content\BlockContentInterface $block */
/** @var \Drupal\block_content\BlockContentInterface $block */
$block = NULL;
$block = NULL;
if (!empty($this->configuration['block_serialized'])) {
if (!empty($this->configuration['block_serialized'])) {
$block = unserialize($this->configuration['block_serialized']);
$block = $this->getUnserializedBlock();
}
}
if ($duplicate_block) {
if ($duplicate_block) {
if (empty($block) && !empty($this->configuration['block_revision_id'])) {
if (empty($block) && !empty($this->configuration['block_revision_id'])) {