Skip to content
Snippets Groups Projects
Commit c6ab61f5 authored by Arti's avatar Arti Committed by Pawel Ginalski
Browse files

Issue #3368121 by arti_parmar, gbyte, WalkingDexter: unserialize() is insecure...

Issue #3368121 by arti_parmar, gbyte, WalkingDexter: unserialize() is insecure unless allowed classes are limited
parent 6bd40844
No related branches found
No related tags found
No related merge requests found
......@@ -6,10 +6,7 @@
<file>.</file>
<rule ref="Drupal"/>
<rule ref="DrupalPractice">
<!-- unserialize() is already used in many places. -->
<exclude name="DrupalPractice.FunctionCalls.InsecureUnserialize"/>
</rule>
<rule ref="DrupalPractice"/>
<!-- Update hooks may have long descriptions. -->
<rule ref="Drupal.Files.LineLength.TooLong">
<exclude-pattern>\.install</exclude-pattern>
......
......@@ -418,7 +418,7 @@ function simple_sitemap_update_8208() {
->execute()->fetchAll(\PDO::FETCH_OBJ);
foreach ($results as $row) {
$settings = unserialize($row->inclusion_settings);
$settings = unserialize($row->inclusion_settings, ['allowed_classes' => FALSE]);
if (!isset($settings['changefreq'])) {
\Drupal::database()->update('simple_sitemap_entity_overrides')
->fields(['inclusion_settings' => serialize($settings + ['changefreq' => ''])])
......@@ -454,7 +454,7 @@ function simple_sitemap_update_8209() {
->execute()->fetchAll(\PDO::FETCH_OBJ);
foreach ($results as $row) {
$settings = unserialize($row->inclusion_settings);
$settings = unserialize($row->inclusion_settings, ['allowed_classes' => FALSE]);
if (!isset($settings['include_images'])) {
\Drupal::database()->update('simple_sitemap_entity_overrides')
->fields(['inclusion_settings' => serialize($settings + ['include_images' => 0])])
......@@ -557,7 +557,7 @@ function simple_sitemap_update_8212() {
->execute()->fetchAll(\PDO::FETCH_OBJ);
foreach ($results as $row) {
$settings = unserialize($row->inclusion_settings);
$settings = unserialize($row->inclusion_settings, ['allowed_classes' => FALSE]);
if (isset($settings['index'])) {
$settings['index'] = (bool) $settings['index'];
......
......@@ -256,7 +256,7 @@ class EntityManager implements SitemapGetterInterface {
$delete_instances = [];
foreach ($query->execute()->fetchAll() as $result) {
$delete = TRUE;
$instance_settings = unserialize($result->inclusion_settings);
$instance_settings = unserialize($result->inclusion_settings, ['allowed_classes' => FALSE]);
foreach ($instance_settings as $setting_key => $instance_setting) {
if ($instance_setting != $settings[$setting_key]) {
$delete = FALSE;
......@@ -512,7 +512,7 @@ class EntityManager implements SitemapGetterInterface {
->fetchField();
if (!empty($results)) {
return [$variant => unserialize($results)];
return [$variant => unserialize($results, ['allowed_classes' => FALSE])];
}
if (($entity = $this->entityTypeManager->getStorage($entity_type_id)->load($id)) === NULL) {
......
......@@ -2,9 +2,9 @@
namespace Drupal\simple_sitemap\Queue;
use Drupal\Component\Datetime\TimeInterface;
use Drupal\Core\Database\Connection;
use Drupal\Core\Queue\DatabaseQueue;
use Drupal\Component\Datetime\TimeInterface;
/**
* Defines a Simple XML Sitemap queue handler.
......@@ -44,7 +44,7 @@ class SimpleSitemapQueue extends DatabaseQueue {
try {
$item = $this->connection->queryRange('SELECT data, item_id FROM {queue} q WHERE name = :name ORDER BY item_id ASC', 0, 1, [':name' => $this->name])->fetchObject();
if ($item) {
$item->data = unserialize($item->data);
$item->data = unserialize($item->data, ['allowed_classes' => FALSE]);
return $item;
}
}
......@@ -72,7 +72,7 @@ class SimpleSitemapQueue extends DatabaseQueue {
try {
$query = $this->connection->query('SELECT data, item_id FROM {queue} q WHERE name = :name ORDER BY item_id ASC', [':name' => $this->name]);
while ($item = $query->fetchObject()) {
$item->data = unserialize($item->data);
$item->data = unserialize($item->data, ['allowed_classes' => FALSE]);
yield $item;
}
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment