Skip to content

Commit adf2213

Browse files
committed
Resoving Issue #3026
Unsafe deserialization in of selected objects in Cacti
1 parent 82b665b commit adf2213

File tree

1 file changed

+15
-8
lines changed

1 file changed

+15
-8
lines changed

Diff for: lib/functions.php

+15-8
Original file line numberDiff line numberDiff line change
@@ -3100,15 +3100,22 @@ function sanitize_cdef($cdef) {
31003100
*/
31013101
function sanitize_unserialize_selected_items($items) {
31023102
if ($items != '') {
3103-
$items = unserialize(stripslashes($items));
3104-
3105-
if (is_array($items)) {
3106-
foreach ($items as $item) {
3107-
if (is_array($item)) {
3108-
return false;
3109-
} elseif (!is_numeric($item) && ($item != '')) {
3110-
return false;
3103+
$unstripped = stripslashes($items);
3104+
3105+
// validate that sanitized string is correctly formatted
3106+
if (preg_match('/^a:[0-9]+:{/', $unstripped) && !preg_match('/(^|;|{|})O:\+?[0-9]+:"/', $unstripped)) {
3107+
$items = unserialize($unstripped);
3108+
3109+
if (is_array($items)) {
3110+
foreach ($items as $item) {
3111+
if (is_array($item)) {
3112+
return false;
3113+
} elseif (!is_numeric($item) && ($item != '')) {
3114+
return false;
3115+
}
31113116
}
3117+
} else {
3118+
return false;
31123119
}
31133120
} else {
31143121
return false;

0 commit comments

Comments
 (0)