Issue #3421234 Json and PHP serializers should throw exception on failure
Closes #3421234
Merge request reports
Activity
added 1 commit
- Resolved by Stephen Mustgrave
added 149 commits
-
d144d958...e4307bdb - 144 commits from branch
project:11.x - ffa3a68b - Issue #3421234 Json and PHP serializers should throw exception on failure
- 25d4b0de - Issue #3421234 Json and PHP serializers should throw exception on failure
- 3cc68b0b - Apply 1 suggestion(s) to 1 file(s)
- 2e2b6964 - Oembed should catch the exception, not look at internal data of method.
- 2e0fbb22 - Fixup failures related to now throwing exception.
Toggle commit list-
d144d958...e4307bdb - 144 commits from branch
added 227 commits
-
f33fac61...51ae0389 - 220 commits from branch
project:11.x - e0d132c6 - Issue #3421234 Json and PHP serializers should throw exception on failure
- 5e3330dd - Issue #3421234 Json and PHP serializers should throw exception on failure
- 8c97db3a - Apply 1 suggestion(s) to 1 file(s)
- 75a71c22 - Oembed should catch the exception, not look at internal data of method.
- 61a78bb8 - Fixup failures related to now throwing exception.
- 4538cdfb - Lint cleanup.
- ab66fd72 - Security advisory handle exception
Toggle commit list-
f33fac61...51ae0389 - 220 commits from branch
18 20 * {@inheritdoc} 19 21 */ 20 22 public static function decode($raw) { 21 return unserialize($raw); 23 // Suppress warnings and errors from unserialize. 24 $decoded = @unserialize($raw, ['allowed_classes' => TRUE]); 25 26 // Check if unserialize returned FALSE. 27 if ($decoded === FALSE && $raw !== 'b:0;') { This is also in the notes section of the PHP unserialize method, we’re just using the raw string to save an extra function call and provide stability
Technically there is a risk that the format changes that comparing to serialize() would allow to continue however that only works if every system and source is running the same versions of PHP as the version that stored it which is not an assumption we can make.
added 434 commits
-
ab66fd72...501bbdbe - 433 commits from branch
project:11.x - 3af4af45 - Merge branch '11.x' of https://git.drupalcode.org/project/drupal into 3421234-json-and-php
-
ab66fd72...501bbdbe - 433 commits from branch
130 131 } 131 132 $response = $this->doRequest($timeout); 132 133 $interval_seconds = $this->config->get('interval_hours') * 60 * 60; 133 $json_payload = Json::decode($response); 134 135 try { 136 $json_payload = Json::decode($response); 137 } 138 catch (InvalidDataTypeException) { 139 $this->logger->error('The security advisory JSON feed from Drupal.org could not be decoded.'); 140 return NULL; 141 } 142 134 143 if (is_array($json_payload)) { While this was more critical when Json::decode could return null on a bad decode, there is still the possibility that the remote response was not an array and instead contained a single boolean, NULL string, or other non array value. At this point this is untrusted data and we are starting to validate it.
This check makes sure its at least contains an array of responses before being stored in the Key-Value store or being passed on.
PHPStan would likely on a sufficiently high level without ignores flag line 148/157 as operating on a non-array without this check.