Skip to content
Snippets Groups Projects

Issue #3391461: Harden the use of unserialize in InlineBlock via allowed classes

Open Issue #3391461: Harden the use of unserialize in InlineBlock via allowed classes
issue/drupal-3391461:3391461-harden-the-use into 11.x
2 unresolved threads
Open Lee Rowlands requested to merge issue/drupal-3391461:3391461-harden-the-use into 11.x
2 unresolved threads
Compare
and
2 files
+ 146
2
Compare changes
  • Side-by-side
  • Inline
Files
2
core/modules/layout_builder/src/Plugin/Block/InlineBlock.php
+ 17
2
@@ -4,6 +4,7 @@
use Drupal\block_content\Access\RefinableDependentAccessInterface;
use Drupal\block_content\Access\RefinableDependentAccessTrait;
use Drupal\Component\Plugin\PluginBase;
use Drupal\Component\Utility\NestedArray;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Block\Attribute\Block;
@@ -221,6 +222,20 @@ public function build() {
return $this->entityTypeManager->getViewBuilder($block->getEntityTypeId())->view($block, $this->configuration['view_mode']);
}
/**
* Return the unserialized version of the block_serialized configuration.
*
* @return mixed
* Result of unserialize() function.
*/
protected function getUnserializedBlock(): mixed {
$base_class = $this->entityTypeManager->getDefinition('block_content')->getClass();
[, $bundle] = explode(PluginBase::DERIVATIVE_SEPARATOR, $this->getPluginId());
$bundle_class = $this->entityTypeManager->getStorage('block_content')->getEntityClass($bundle);
return unserialize($this->configuration['block_serialized'], ['allowed_classes' => [$base_class, $bundle_class]]);
}
/**
* Loads or creates the block content entity of the block.
*
@@ -230,7 +245,7 @@ public function build() {
protected function getEntity() {
if (!isset($this->blockContent)) {
if (!empty($this->configuration['block_serialized'])) {
$this->blockContent = unserialize($this->configuration['block_serialized']);
$this->blockContent = $this->getUnserializedBlock();
}
elseif (!empty($this->configuration['block_revision_id'])) {
$entity = $this->entityTypeManager->getStorage('block_content')->loadRevision($this->configuration['block_revision_id']);
@@ -274,7 +289,7 @@ public function saveBlockContent($new_revision = FALSE, $duplicate_block = FALSE
/** @var \Drupal\block_content\BlockContentInterface $block */
$block = NULL;
if (!empty($this->configuration['block_serialized'])) {
$block = unserialize($this->configuration['block_serialized']);
$block = $this->getUnserializedBlock();
}
if ($duplicate_block) {
if (empty($block) && !empty($this->configuration['block_revision_id'])) {