Fixed issue #9362: Loss of attribute descriptions on update

LimeSurvey · Nov 17, 2014 · 48d5e75 · 48d5e75
1 parent 5b64dba
commit 48d5e75
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 93 deletions.
diff --git a/application/controllers/admin/tokens.php b/application/controllers/admin/tokens.php
@@ -1165,9 +1165,9 @@ function deletetokenattributes($iSurveyId)
         elseif($sAttributeToDelete)
         {
             // Update field attributedescriptions in survey table
-            $aTokenAttributeDescriptions=  unserialize(Survey::model()->findByPk($iSurveyId)->attributedescriptions);
+            $aTokenAttributeDescriptions=decodeTokenAttributes(Survey::model()->findByPk($iSurveyId)->attributedescriptions);
             unset($aTokenAttributeDescriptions[$sAttributeToDelete]);
-            Survey::model()->updateByPk($iSurveyId, array('attributedescriptions' => serialize($aTokenAttributeDescriptions)));
+            Survey::model()->updateByPk($iSurveyId, array('attributedescriptions' => json_encode($aTokenAttributeDescriptions)));
 
             $sTableName="{{tokens_".intval($iSurveyId)."}}";
             Yii::app()->db->createCommand(Yii::app()->db->getSchema()->dropColumn($sTableName, $sAttributeToDelete))->execute();
@@ -1219,7 +1219,7 @@ function updatetokenattributedescriptions($iSurveyId)
                 $captions[$language][$fieldname] = $_POST["caption_{$fieldname}_$language"];
         }
 
-        Survey::model()->updateByPk($iSurveyId, array('attributedescriptions' => serialize($fieldcontents)));
+        Survey::model()->updateByPk($iSurveyId, array('attributedescriptions' => json_encode($fieldcontents)));
         foreach ($languages as $language)
         {
             $ls = SurveyLanguageSetting::model()->findByAttributes(array('surveyls_survey_id' => $iSurveyId, 'surveyls_language' => $language));
@@ -2447,7 +2447,7 @@ function _newtokentable($iSurveyId)
                                 );
                 }
             }
-            Survey::model()->updateByPk($iSurveyId, array('attributedescriptions' => serialize($fieldcontents)));
+            Survey::model()->updateByPk($iSurveyId, array('attributedescriptions' => json_encode($fieldcontents)));
 
 
             Yii::app()->db->createCommand()->renameTable(Yii::app()->request->getPost('oldtable'), Yii::app()->db->tablePrefix."tokens_".intval($iSurveyId));

diff --git a/application/helpers/common_helper.php b/application/helpers/common_helper.php
@@ -7499,5 +7499,24 @@ function getMaximumFileUploadSize()
         return min(convertPHPSizeToBytes(ini_get('post_max_size')), convertPHPSizeToBytes(ini_get('upload_max_filesize')));
     }
 
+    /**
+    * Decodes token attribute data because due to bugs in the past it can be written in JSON or be serialized - future format should be JSON as serialized data can be exploited
+    *
+    * @param string $oTokenAttributeData  The original token attributes as stored in the database
+    */
+    function decodeTokenAttributes($oTokenAttributeData){
+        if (trim($oTokenAttributeData)=='') return array();
+        if (substr($oTokenAttributeData,0,1)!='{' && substr($oTokenAttributeData,0,1)!='[')
+        {
+            $aReturnData=@unserialize($oTokenAttributeData);
+        }
+        else
+        {
+             $aReturnData=@json_decode($oTokenAttributeData,true);
+        }
+        if ($aReturnData===false || $aReturnData===null) return array();
+        return $aReturnData;
+    }
+
 // Closing PHP tag intentionally omitted - yes, it is okay