Changeset 3294591

Timestamp:

05/16/2025 06:53:03 AM (8 months ago)

Author:

Prisna

Message:

Updated code to prevent administrators from injecting a PHP object during the settings import process

Location:

social-counter

Files:

• tags/2.1/classes/admin.class.php (modified) (2 diffs)
• trunk/classes/admin.class.php (modified) (2 diffs)

social-counter/tags/2.1/classes/admin.class.php

@@ -299 +299 @@
             return null;
         
-        $decode = base64_decode($value);
+        $decode = @base64_decode($value);
         
         if ($decode === false) {
@@ -306 +306 @@
         }
         
-        $unserialize = preg_match('/O:\d+:(["\'])[^\1]+?\1:\d+:{/i', $decode) ? '' : @unserialize($decode);
-
+        $to_unserialize = preg_match('/O:\d+:(["\'])[^\1]+?\1:\d+:{/i', $decode) ? '' : $decode;
+        
+        $unserialize = @unserialize($to_unserialize, array('allowed_classes' => false));
+        
         if (!is_array($unserialize)) {
             self::_set_imported_status(false);

social-counter/trunk/classes/admin.class.php

@@ -299 +299 @@
             return null;
         
-        $decode = base64_decode($value);
+        $decode = @base64_decode($value);
         
         if ($decode === false) {
@@ -306 +306 @@
         }
         
-        $unserialize = preg_match('/O:\d+:(["\'])[^\1]+?\1:\d+:{/i', $decode) ? '' : @unserialize($decode);
+        $to_unserialize = preg_match('/O:\d+:(["\'])[^\1]+?\1:\d+:{/i', $decode) ? '' : $decode;
+        
+        $unserialize = @unserialize($to_unserialize, array('allowed_classes' => false));
 
         if (!is_array($unserialize)) {