Skip to content
Permalink
Browse files Browse the repository at this point in the history
[mms] SECURITY: '_formvars' form input must now be JSON encoded, not …
…PHP serialized.
  • Loading branch information
slusarz committed Jun 27, 2013
1 parent 1b71a72 commit da6afc7
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
6 changes: 4 additions & 2 deletions framework/Util/lib/Horde/Variables.php
Expand Up @@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false)
* Constructor.
*
* @param array $vars The list of form variables (if null, defaults
* to PHP's $_REQUEST value).
* to PHP's $_REQUEST value). If '_formvars'
* exists, it must be a JSON encoded array that
* contains the list of allowed form variables.
* @param string $sanitize Sanitize the input variables?
*/
public function __construct($vars = array(), $sanitize = false)
Expand All @@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false)
}

if (isset($vars['_formvars'])) {
$this->_expected = @unserialize($vars['_formvars']);
$this->_expected = @json_decode($vars['_formvars'], true);
unset($vars['_formvars']);
}

Expand Down
15 changes: 9 additions & 6 deletions framework/Util/package.xml
Expand Up @@ -26,16 +26,16 @@
<date>2013-05-06</date>
<time>19:34:35</time>
<version>
<release>2.2.3</release>
<api>2.2.0</api>
<release>2.3.0</release>
<api>2.3.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [mms] SECURITY: &apos;_formvars&apos; form input must now be JSON encoded, not PHP serialized.
</notes>
<contents>
<dir baseinstalldir="/" name="/">
Expand Down Expand Up @@ -116,6 +116,9 @@
<extension>
<name>iconv</name>
</extension>
<extension>
<name>json</name>
</extension>
<extension>
<name>mbstring</name>
</extension>
Expand Down Expand Up @@ -619,15 +622,15 @@ Converted to package.xml 2.0 for pear.horde.org
</release>
<release>
<version>
<release>2.2.3</release>
<api>2.2.0</api></version>
<release>2.3.0</release>
<api>2.3.0</api></version>
<stability>
<release>stable</release>
<api>stable</api></stability>
<date>2013-05-06</date>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [mms] SECURITY: &apos;_formvars&apos; form input must now be JSON encoded, not PHP serialized.
</notes>
</release>
</changelog>
Expand Down

0 comments on commit da6afc7

Please sign in to comment.