Skip to content

Commit

Permalink
Disable class unserialization where it is not needed. (#1251)
Browse files Browse the repository at this point in the history 
* Disable class unserialization where it is not needed.

* Revert accidentally committed changes to var/.gitignore

* Re-throw unserialize errors as Exception.
  • Loading branch information
@colinmollenhour
colinmollenhour committed Dec 21, 2020
1 parent f326bad commit cf25b8a
Show file tree
Hide file tree
Showing 47 changed files with 73 additions and 65 deletions.
2 changes: 1 addition & 1 deletion app/code/core/Mage/Admin/Model/Resource/Acl.php
View file
Expand Up @@ -133,7 +133,7 @@ public function loadRules(Mage_Admin_Model_Acl $acl, array $rulesArr)
$assert = null;
if (0 != $rule['assert_id']) {
$assertClass = Mage::getSingleton('admin/config')->getAclAssert($rule['assert_type'])->getClassName();
$assert = new $assertClass(unserialize($rule['assert_data']));
$assert = new $assertClass(unserialize($rule['assert_data'], ['allowed_classes' => false]));
}
try {
if ($rule['permission'] == 'allow') {
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Adminhtml/Block/Sales/Order/Shipment/Packaging.php
View file
Expand Up @@ -201,7 +201,7 @@ public function getPackages()
{
$packages = $this->getShipment()->getPackages();
if ($packages) {
$packages = unserialize($packages);
$packages = unserialize($packages, ['allowed_classes' => false]);
} else {
$packages = array();
}
Expand Down
4 changes: 2 additions & 2 deletions app/code/core/Mage/Adminhtml/Model/Sales/Order/Create.php
View file
Expand Up @@ -580,7 +580,7 @@ public function moveQuoteItem($item, $moveTo, $qty)
$info = $item->getOptionByCode('info_buyRequest');
if ($info) {
$info = new Varien_Object(
unserialize($info->getValue())
unserialize($info->getValue(), ['allowed_classes' => false])
);
$info->setQty($qty);
$info->setOptions($this->_prepareOptionsForRequest($item));
Expand Down Expand Up @@ -1511,7 +1511,7 @@ protected function _prepareQuoteItems()
}
$addOptions = $item->getOptionByCode('additional_options');
if ($addOptions) {
$options['additional_options'] = unserialize($addOptions->getValue());
$options['additional_options'] = unserialize($addOptions->getValue(), ['allowed_classes' => false]);
}
$item->setProductOrderOptions($options);
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Api/Model/Resource/Acl.php
View file
Expand Up @@ -123,7 +123,7 @@ public function loadRules(Mage_Api_Model_Acl $acl, array $rulesArr)
$assert = null;
if (0!=$rule['assert_id']) {
$assertClass = Mage::getSingleton('api/config')->getAclAssert($rule['assert_type'])->getClassName();
$assert = new $assertClass(unserialize($rule['assert_data']));
$assert = new $assertClass(unserialize($rule['assert_data'], ['allowed_classes' => false]));
}
try {
if ($rule['api_permission'] == 'allow') {
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Bundle/Block/Adminhtml/Sales/Order/Items/Renderer.php
View file
Expand Up @@ -167,7 +167,7 @@ public function getSelectionAttributes($item)
$options = $item->getOrderItem()->getProductOptions();
}
if (isset($options['bundle_selection_attributes'])) {
return unserialize($options['bundle_selection_attributes']);
return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
}
return null;
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Bundle/Block/Adminhtml/Sales/Order/View/Items/Renderer.php
View file
Expand Up @@ -126,7 +126,7 @@ public function getSelectionAttributes($item)
$options = $item->getOrderItem()->getProductOptions();
}
if (isset($options['bundle_selection_attributes'])) {
return unserialize($options['bundle_selection_attributes']);
return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
}
return null;
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Bundle/Block/Sales/Order/Items/Renderer.php
View file
Expand Up @@ -131,7 +131,7 @@ public function getSelectionAttributes($item)
$options = $item->getOrderItem()->getProductOptions();
}
if (isset($options['bundle_selection_attributes'])) {
return unserialize($options['bundle_selection_attributes']);
return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
}
return null;
}
Expand Down
6 changes: 3 additions & 3 deletions app/code/core/Mage/Bundle/Helper/Catalog/Product/Configuration.php
View file
Expand Up @@ -91,7 +91,7 @@ public function getBundleOptions(Mage_Catalog_Model_Product_Configuration_Item_I

// get bundle options
$optionsQuoteItemOption = $item->getOptionByCode('bundle_option_ids');
$bundleOptionsIds = $optionsQuoteItemOption ? unserialize($optionsQuoteItemOption->getValue()) : array();
$bundleOptionsIds = $optionsQuoteItemOption ? unserialize($optionsQuoteItemOption->getValue(), ['allowed_classes' => false]) : array();
if ($bundleOptionsIds) {
/**
* @var Mage_Bundle_Model_Resource_Option_Collection
Expand All @@ -101,11 +101,11 @@ public function getBundleOptions(Mage_Catalog_Model_Product_Configuration_Item_I
// get and add bundle selections collection
$selectionsQuoteItemOption = $item->getOptionByCode('bundle_selection_ids');

$bundleSelectionIds = unserialize($selectionsQuoteItemOption->getValue());
$bundleSelectionIds = unserialize($selectionsQuoteItemOption->getValue(), ['allowed_classes' => false]);

if (!empty($bundleSelectionIds)) {
$selectionsCollection = $typeInstance->getSelectionsByIds(
unserialize($selectionsQuoteItemOption->getValue()),
unserialize($selectionsQuoteItemOption->getValue(), ['allowed_classes' => false]),
$product
);

Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Bundle/Model/Product/Price.php
View file
Expand Up @@ -88,7 +88,7 @@ public function getTotalBundleItemsPrice($product, $qty = null)
if ($product->hasCustomOptions()) {
$customOption = $product->getCustomOption('bundle_selection_ids');
if ($customOption) {
$selectionIds = unserialize($customOption->getValue());
$selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
/** @var Mage_Bundle_Model_Resource_Selection_Collection $selections */
$selections = $product->getTypeInstance(true)->getSelectionsByIds($selectionIds, $product);
$selections->addTierPriceData();
Expand Down
14 changes: 7 additions & 7 deletions app/code/core/Mage/Bundle/Model/Product/Type.php
View file
Expand Up @@ -148,7 +148,7 @@ public function getSku($product = null)

if ($this->getProduct($product)->hasCustomOptions()) {
$customOption = $this->getProduct($product)->getCustomOption('bundle_selection_ids');
$selectionIds = unserialize($customOption->getValue());
$selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
if (!empty($selectionIds)) {
$selections = $this->getSelectionsByIds($selectionIds, $product);
foreach ($selections->getItems() as $selection) {
Expand Down Expand Up @@ -176,7 +176,7 @@ public function getWeight($product = null)

if ($this->getProduct($product)->hasCustomOptions()) {
$customOption = $this->getProduct($product)->getCustomOption('bundle_selection_ids');
$selectionIds = unserialize($customOption->getValue());
$selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
$selections = $this->getSelectionsByIds($selectionIds, $product);
foreach ($selections->getItems() as $selection) {
$qtyOption = $this->getProduct($product)
Expand All @@ -202,7 +202,7 @@ public function isVirtual($product = null)
{
if ($this->getProduct($product)->hasCustomOptions()) {
$customOption = $this->getProduct($product)->getCustomOption('bundle_selection_ids');
$selectionIds = unserialize($customOption->getValue());
$selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
$selections = $this->getSelectionsByIds($selectionIds, $product);
$virtualCount = 0;
foreach ($selections->getItems() as $selection) {
Expand Down Expand Up @@ -788,10 +788,10 @@ public function getOrderOptions($product = null)

if ($product->hasCustomOptions()) {
$customOption = $product->getCustomOption('bundle_option_ids');
$optionIds = unserialize($customOption->getValue());
$optionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
$options = $this->getOptionsByIds($optionIds, $product);
$customOption = $product->getCustomOption('bundle_selection_ids');
$selectionIds = unserialize($customOption->getValue());
$selectionIds = unserialize($customOption->getValue(), ['allowed_classes' => false]);
$selections = $this->getSelectionsByIds($selectionIds, $product);
foreach ($selections->getItems() as $selection) {
if ($selection->isSalable()) {
Expand Down Expand Up @@ -934,9 +934,9 @@ public function checkProductBuyState($product = null)
$productOptionIds = $this->getOptionsIds($product);
$productSelections = $this->getSelectionsCollection($productOptionIds, $product);
$selectionIds = $product->getCustomOption('bundle_selection_ids');
$selectionIds = (array) unserialize($selectionIds->getValue());
$selectionIds = (array) unserialize($selectionIds->getValue(), ['allowed_classes' => false]);
$buyRequest = $product->getCustomOption('info_buyRequest');
$buyRequest = new Varien_Object(unserialize($buyRequest->getValue()));
$buyRequest = new Varien_Object(unserialize($buyRequest->getValue(), ['allowed_classes' => false]));
$bundleOption = $buyRequest->getBundleOption();

if (empty($bundleOption) && empty($selectionIds)) {
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Bundle/Model/Sales/Order/Pdf/Items/Abstract.php
View file
Expand Up @@ -196,7 +196,7 @@ public function getSelectionAttributes($item)
$options = $item->getOrderItem()->getProductOptions();
}
if (isset($options['bundle_selection_attributes'])) {
return unserialize($options['bundle_selection_attributes']);
return unserialize($options['bundle_selection_attributes'], ['allowed_classes' => false]);
}
return null;
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Catalog/Helper/Product/Configuration.php
View file
Expand Up @@ -85,7 +85,7 @@ public function getCustomOptions(Mage_Catalog_Model_Product_Configuration_Item_I

$addOptions = $item->getOptionByCode('additional_options');
if ($addOptions) {
$options = array_merge($options, unserialize($addOptions->getValue()));
$options = array_merge($options, unserialize($addOptions->getValue(), ['allowed_classes' => false]));
}

return $options;
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Catalog/Model/Product/Attribute/Source/Countryofmanufacture.php
View file
Expand Up @@ -42,7 +42,7 @@ public function getAllOptions()
{
$cacheKey = 'DIRECTORY_COUNTRY_SELECT_STORE_' . Mage::app()->getStore()->getCode();
if (Mage::app()->useCache('config') && $cache = Mage::app()->loadCache($cacheKey)) {
$options = unserialize($cache);
$options = unserialize($cache, ['allowed_classes' => false]);
} else {
$collection = Mage::getModel('directory/country')->getResourceCollection();
if (!Mage::app()->getStore()->isAdmin()) {
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Catalog/Model/Product/Type/Abstract.php
View file
Expand Up @@ -602,7 +602,7 @@ public function getOrderOptions($product = null)
{
$optionArr = array();
if ($info = $this->getProduct($product)->getCustomOption('info_buyRequest')) {
$optionArr['info_buyRequest'] = unserialize($info->getValue());
$optionArr['info_buyRequest'] = unserialize($info->getValue(), ['allowed_classes' => false]);
}

if ($optionIds = $this->getProduct($product)->getCustomOption('option_ids')) {
Expand Down
4 changes: 2 additions & 2 deletions app/code/core/Mage/Catalog/Model/Product/Type/Configurable.php
View file
Expand Up @@ -548,7 +548,7 @@ public function getSelectedAttributesInfo($product = null)
$attributes = array();
Varien_Profiler::start('CONFIGURABLE:'.__METHOD__);
if ($attributesOption = $this->getProduct($product)->getCustomOption('attributes')) {
$data = unserialize($attributesOption->getValue());
$data = unserialize($attributesOption->getValue(), ['allowed_classes' => false]);
$this->getUsedProductAttributeIds($product);

$usedAttributes = $this->getProduct($product)->getData($this->_usedAttributes);
Expand Down Expand Up @@ -681,7 +681,7 @@ public function checkProductBuyState($product = null)
$product = $this->getProduct($product);
$option = $product->getCustomOption('info_buyRequest');
if ($option instanceof Mage_Sales_Model_Quote_Item_Option) {
$buyRequest = new Varien_Object(unserialize($option->getValue()));
$buyRequest = new Varien_Object(unserialize($option->getValue(), ['allowed_classes' => false]));
$attributes = $buyRequest->getSuperAttribute();
if (is_array($attributes)) {
foreach ($attributes as $key => $val) {
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Catalog/Model/Product/Type/Configurable/Price.php
View file
Expand Up @@ -78,7 +78,7 @@ public function getTotalConfigurableItemsPrice($product, $finalPrice)

$selectedAttributes = array();
if ($product->getCustomOption('attributes')) {
$selectedAttributes = unserialize($product->getCustomOption('attributes')->getValue());
$selectedAttributes = unserialize($product->getCustomOption('attributes')->getValue(), ['allowed_classes' => false]);
}

/** @var Mage_Catalog_Model_Product_Type_Configurable_Attribute $attribute */
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php
View file
Expand Up @@ -1161,7 +1161,7 @@ protected function _addUrlRewrite()
if (!($urlRewrites = Mage::app()->loadCache($this->_cacheConf['prefix'] . 'urlrewrite'))) {
$urlRewrites = null;
} else {
$urlRewrites = unserialize($urlRewrites);
$urlRewrites = unserialize($urlRewrites, ['allowed_classes' => false]);
}
}

Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/CatalogIndex/Model/Resource/Aggregation.php
View file
Expand Up @@ -74,7 +74,7 @@ public function getCacheData($key, $storeId)
->where('a.key=?', $key);
$data = $this->_getReadAdapter()->fetchOne($select);
if ($data) {
$data = unserialize($data);
$data = unserialize($data, ['allowed_classes' => false]);
} else {
$data = array();
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Checkout/Block/Onepage/Abstract.php
View file
Expand Up @@ -218,7 +218,7 @@ public function getCountryOptions()
$cacheId = 'DIRECTORY_COUNTRY_SELECT_STORE_' . Mage::app()->getStore()->getCode();
$cacheTags = array('config');
if ($optionsCache = Mage::app()->loadCache($cacheId)) {
$options = unserialize($optionsCache);
$options = unserialize($optionsCache, ['allowed_classes' => false]);
}
}

Expand Down
11 changes: 9 additions & 2 deletions app/code/core/Mage/Core/Helper/UnserializeArray.php
View file
Expand Up @@ -40,7 +40,14 @@ class Mage_Core_Helper_UnserializeArray
*/
public function unserialize($str)
{
$parser = new Unserialize_Parser();
return $parser->unserialize($str);
try {
$result = unserialize($str, ['allowed_classes' => false]);
if ($result === false && $str !== serialize(false)) {
throw new Exception('Error unserializing data.');
}
return $result;
} catch (Error $e) {
throw new Exception('Error unserializing data: '.$e->getMessage(), 0, $e);
}
}
}
4 changes: 2 additions & 2 deletions app/code/core/Mage/Core/Model/Cache.php
View file
Expand Up @@ -500,7 +500,7 @@ protected function _initOptions()
$this->_allowedCacheOptions = array();
}
} else {
$this->_allowedCacheOptions = unserialize($options);
$this->_allowedCacheOptions = unserialize($options, ['allowed_classes' => false]);
}

if (Mage::getConfig()->getOptions()->getData('global_ban_use_cache')) {
Expand Down Expand Up @@ -611,7 +611,7 @@ protected function _getInvalidatedTypes()
{
$types = $this->load(self::INVALIDATED_TYPES);
if ($types) {
$types = unserialize($types);
$types = unserialize($types, ['allowed_classes' => false]);
} else {
$types = array();
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Core/Model/Flag.php
View file
Expand Up @@ -87,7 +87,7 @@ protected function _beforeSave()
public function getFlagData()
{
if ($this->hasFlagData()) {
return unserialize($this->getData('flag_data'));
return unserialize($this->getData('flag_data'), ['allowed_classes' => false]);
} else {
return null;
}
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Core/Model/Resource/Abstract.php
View file
Expand Up @@ -197,7 +197,7 @@ protected function _unserializeField(Varien_Object $object, $field, $defaultValu
if (empty($value)) {
$object->setData($field, $defaultValue);
} elseif (!is_array($value) && !is_object($value)) {
$object->setData($field, unserialize($value));
$object->setData($field, unserialize($value, ['allowed_classes' => ['Varien_Object']]));
}
}

Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Core/Model/Resource/Email/Queue.php
View file
Expand Up @@ -43,7 +43,7 @@ protected function _construct()
protected function _afterLoad(Mage_Core_Model_Abstract $object)
{
$object->setRecipients($this->getRecipients($object->getId()));
$object->setMessageParameters(unserialize($object->getMessageParameters()));
$object->setMessageParameters(unserialize($object->getMessageParameters(), ['allowed_classes' => false]));
return $this;
}

Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Core/Model/Store.php
View file
Expand Up @@ -415,7 +415,7 @@ public function initConfigCache()
$cacheId = 'store_' . $code . '_config_cache';
$data = Mage::app()->loadCache($cacheId);
if ($data) {
$data = unserialize($data);
$data = unserialize($data, ['allowed_classes' => false]);
} else {
$data = array();
foreach ($this->_configCacheBaseNodes as $node) {
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Core/Model/Translate.php
View file
Expand Up @@ -535,7 +535,7 @@ protected function _loadCache()
return false;
}
$data = Mage::app()->loadCache($this->getCacheId());
$data = unserialize($data);
$data = unserialize($data, ['allowed_classes' => false]);
return $data;
}

Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Dataflow/Model/Batch.php
View file
Expand Up @@ -205,7 +205,7 @@ public function setParams($data)
public function getParams()
{
$data = $this->_data['params'];
$data = unserialize($data);
$data = unserialize($data, ['allowed_classes' => false]);
return $data;
}
}
2 changes: 1 addition & 1 deletion app/code/core/Mage/Dataflow/Model/Batch/Abstract.php
View file
Expand Up @@ -63,7 +63,7 @@ public function setBatchData($data)
public function getBatchData()
{
$data = $this->_data['batch_data'];
$data = unserialize($data);
$data = unserialize($data, ['allowed_classes' => false]);
return $data;
}

Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Dataflow/Model/Convert/Parser/Serialize.php
View file
Expand Up @@ -37,7 +37,7 @@ class Mage_Dataflow_Model_Convert_Parser_Serialize extends Mage_Dataflow_Model_C

public function parse()
{
$this->setData(unserialize($this->getData()));
$this->setData(unserialize($this->getData(), ['allowed_classes' => false]));
return $this;
}

Expand Down
4 changes: 2 additions & 2 deletions app/code/core/Mage/Directory/Block/Data.php
View file
Expand Up @@ -74,7 +74,7 @@ public function getCountryHtmlSelect($defValue = null, $name = 'country_id', $id
}
$cacheKey = 'DIRECTORY_COUNTRY_SELECT_STORE_'.Mage::app()->getStore()->getCode();
if (Mage::app()->useCache('config') && $cache = Mage::app()->loadCache($cacheKey)) {
$options = unserialize($cache);
$options = unserialize($cache, ['allowed_classes' => false]);
} else {
$options = $this->getCountryCollection()->toOptionArray();
if (Mage::app()->useCache('config')) {
Expand Down Expand Up @@ -119,7 +119,7 @@ public function getRegionHtmlSelect()
Varien_Profiler::start('TEST: '.__METHOD__);
$cacheKey = 'DIRECTORY_REGION_SELECT_STORE'.Mage::app()->getStore()->getId();
if (Mage::app()->useCache('config') && $cache = Mage::app()->loadCache($cacheKey)) {
$options = unserialize($cache);
$options = unserialize($cache, ['allowed_classes' => false]);
} else {
$options = $this->getRegionCollection()->toOptionArray();
if (Mage::app()->useCache('config')) {
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Downloadable/Model/Product/Type.php
View file
Expand Up @@ -339,7 +339,7 @@ public function checkProductBuyState($product = null)
$product = $this->getProduct($product);
$option = $product->getCustomOption('info_buyRequest');
if ($option instanceof Mage_Sales_Model_Quote_Item_Option) {
$buyRequest = new Varien_Object(unserialize($option->getValue()));
$buyRequest = new Varien_Object(unserialize($option->getValue(), ['allowed_classes' => false]));
if (!$buyRequest->hasLinks()) {
if (!$product->getLinksPurchasedSeparately()) {
$allLinksIds = Mage::getModel('downloadable/link')
Expand Down

0 comments on commit cf25b8a

Please sign in to comment.