Skip to content

SECURITY: Unsafe unserialization when working with schedules#35

Merged
TheWitness merged 4 commits intodevelopfrom
security_issues
Jan 27, 2026
Merged

SECURITY: Unsafe unserialization when working with schedules#35
TheWitness merged 4 commits intodevelopfrom
security_issues

Conversation

@TheWitness
Copy link
Member

@TheWitness TheWitness commented Jan 24, 2026

No description provided.

Copilot AI reviewed Jan 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the maint plugin to address unsafe unserialization when processing selected schedule/device items, along with a version bump and changelog cleanup.

Changes:

  • Replace direct unserialize() usage with sanitize_unserialize_selected_items() for selected_items handling.
  • Add CHANGELOG.md and remove the embedded changelog from README.md.
  • Bump plugin version to 1.3 and update copyright year.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
setup.php Switches selected-items parsing to a sanitized unserialize helper in device actions (but currently contains a variable mismatch bug).
README.md Removes old embedded changelog content and updates copyright year.
INFO Bumps plugin version from 1.2 to 1.3.
CHANGELOG.md Adds a dedicated changelog file for releases (contains a minor typo).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

setup.php Outdated
Comment on lines 268 to 272
$selected_items = sanitize_unserialize_selected_items(get_nfilter_request_var('selected_items'));

if (is_array($selected)) {
foreach ($selected as $host_id) {
db_execute_prepared('REPLACE INTO plugin_maint_hosts (type, host, schedule) VALUES (1, ?, ?)', array((int)$host_id, (int)$schedule_id));
Copy link

Copilot AI Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$selected_items is assigned from sanitize_unserialize_selected_items(...), but the subsequent is_array()/foreach use $selected, which is undefined. This prevents any devices from being associated with the new schedule (and will raise a PHP notice). Use $selected_items consistently in the is_array check and foreach loop (or match maint.php’s pattern of checking $selected_items != false).

Copilot uses AI. Check for mistakes.
@TheWitness TheWitness merged commit 4390433 into develop Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@browniebraun browniebraun browniebraun approved these changes

@cigamit cigamit Awaiting requested review from cigamit

@netniV netniV Awaiting requested review from netniV

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheWitness @browniebraun