Skip to content

Jt/fix serialized values#1510

Merged
jtsternberg merged 10 commits intodevelopfrom
jt/fix-serialized-values
Apr 2, 2024
Merged

Jt/fix serialized values#1510
jtsternberg merged 10 commits intodevelopfrom
jt/fix-serialized-values

Conversation

@jtsternberg
Copy link
Member

@jtsternberg jtsternberg commented Mar 29, 2024
edited
Loading

Description

Update how we store/retrieve serialized values (the text_datetime_timestamp_timezone field).

Also… bumps our min. php support to 7.4 🥳

Motivation and Context

security.

Risk Level

Testing procedure

Before this PR

  1. Create fields (preferably in every core object type) with the text_datetime_timestamp_timezone field type

    • example:
    $cmb->add_field( array(
   'name' => __( 'Test Date/Time Picker/Time zone Combo (serialized DateTime object)', 'cmb2' ),
   'desc' => __( 'field description (optional)', 'cmb2' ),
   'id'   => '_yourprefix_demo_datetime_timestamp_timezone',
   'type' => 'text_datetime_timestamp_timezone',
   'time_format' => 'H:i',
   'date_format' => 'Y-m-d',
   // 'repeatable' => true,
   'before_field' => function ( $args, $field ) {
      // echo '<xmp>'. __LINE__ .') $field: '. print_r( $field, true ) .'</xmp>';
      $value = get_post_meta( $field->object_id, $field->id(), 1 );
      echo '<xmp>$value: '. print_r( $value, true ) .'</xmp>';
      $_utc_value = get_post_meta( $field->object_id, $field->id(). '_utc', 1 );
      echo '<xmp>$_utc_value: '. print_r( $_utc_value, true ) .'</xmp>';
   },
   'column' => true,
) );

    And you can test the options-page type with the following setup: https://gist.github.com/jtsternberg/d6ab21ca3a7de1a77d1adfefa0b9445f

  2. In each object type, udpate the value, save, see that it all works as expected.

  3. Check the DB values -- you should see a double-serialized DateTime object

  4. Try using get_post_meta to retrieve the value and see that it's a serialized DateTime object. (if you used the example above, you can see the value in the before_field callback).

Next

  1. Pull down this PR
  2. Review every field in each object type (refresh the page) and make sure field looks/acts correctly.
  3. See that the get_post_meta value still gives you a serialized DateTime object.
  4. Try storing a bad actor value to the DB: wp post meta update 1 _yourprefix_demo_datetime_timestamp_timezone 'O:4:"Evil":2:{s:4:"hack";N;s:2:"me";R:2;}'
  5. Reload the various pages and see that the field still looks/acts correctly, except the value is blank.

@jtsternberg
Officially move to PHP 7.4+ support. 'bout time
f9413d2
@jtsternberg
Address security concern with using unserialize on arbitrary datetime…
10f50df 
… values

Uses the allowed_classes option to unserialize (the options param only supported after 7.0+)
@jtsternberg
Switch to storing datetime json for text_datetime_timestamp_timezone
462c0ca 
Further resolves security concerns with unserializing arbitrary data.
@jtsternberg
Add CMB2::is_supported_core_object_type helper method
ae1c740
@jtsternberg
Add util methods to handle converting a serialized datetime object sa…
320074f 
…fely, as well as helpers to convert json version to datetime object
@jtsternberg
Update CMB2_Display_Text_Date_Timezone to parse values from json/seri…
332afbf 
…alized

Updates one use of unserialize to a safe version

Also cleans up the method and makes things a bit less "clever"
@jtsternberg
Update CMB2_Type_Text_Datetime_Timestamp_Timezone to also use our CMB…
a4e92e3 
…2_Utils::get_datetime_from_value helper
@jtsternberg
Adds text_datetime_timestamp_timezone back-compat shim to ensure seri…
cd43069 
…alized DateTime value returned from meta calls

This ensures anyone using this meta value can continue to use as they were.

This callback can be overridden with a field arg, $field['field_hookup_instance'][ $object_type ]
- This allows disabling the shim if you already updated your use, and allows unhooking or overriding the callback

Also Moves the rest of the field-specfic hooks from CMB2::field_actions to the new CMB2_Hookup_Field class.
@jtsternberg
Account for non-string values sent to json_to_datetime
4fea2cc
@jtsternberg
Fix field hookup instance for options pages
419646b
@jtsternberg jtsternberg self-assigned this Mar 29, 2024
@jtsternberg jtsternberg requested a review from tw2113 March 29, 2024 16:03
tw2113
tw2113 approved these changes Mar 29, 2024
View reviewed changes
Copy link
Contributor

@tw2113 tw2113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All looked good to me overall JT.

@jtsternberg jtsternberg marked this pull request as ready for review April 1, 2024 13:56
@jtsternberg jtsternberg merged commit 3a13dec into develop Apr 2, 2024
@jtsternberg jtsternberg deleted the jt/fix-serialized-values branch April 2, 2024 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tw2113 tw2113 tw2113 approved these changes

Assignees

@jtsternberg jtsternberg

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jtsternberg @tw2113