Permalink
Browse files

[mms] SECURITY: '_formvars' form input must now be JSON encoded, not …

…PHP serialized.
  • Loading branch information...
slusarz committed Jun 27, 2013
1 parent 1b71a72 commit da6afc7e9f4e290f782eca9dbca794f772caccb3
Showing with 13 additions and 8 deletions.
  1. +4 −2 framework/Util/lib/Horde/Variables.php
  2. +9 −6 framework/Util/package.xml
@@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false)
* Constructor.
*
* @param array $vars The list of form variables (if null, defaults
* to PHP's $_REQUEST value).
* to PHP's $_REQUEST value). If '_formvars'
* exists, it must be a JSON encoded array that
* contains the list of allowed form variables.
* @param string $sanitize Sanitize the input variables?
*/
public function __construct($vars = array(), $sanitize = false)
@@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false)
}
if (isset($vars['_formvars'])) {
$this->_expected = @unserialize($vars['_formvars']);
$this->_expected = @json_decode($vars['_formvars'], true);
unset($vars['_formvars']);
}
View
@@ -26,16 +26,16 @@
<date>2013-05-06</date>
<time>19:34:35</time>
<version>
<release>2.2.3</release>
<api>2.2.0</api>
<release>2.3.0</release>
<api>2.3.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [mms] SECURITY: &apos;_formvars&apos; form input must now be JSON encoded, not PHP serialized.
</notes>
<contents>
<dir baseinstalldir="/" name="/">
@@ -116,6 +116,9 @@
<extension>
<name>iconv</name>
</extension>
<extension>
<name>json</name>
</extension>
<extension>
<name>mbstring</name>
</extension>
@@ -619,15 +622,15 @@ Converted to package.xml 2.0 for pear.horde.org
</release>
<release>
<version>
<release>2.2.3</release>
<api>2.2.0</api></version>
<release>2.3.0</release>
<api>2.3.0</api></version>
<stability>
<release>stable</release>
<api>stable</api></stability>
<date>2013-05-06</date>
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
<notes>
*
* [mms] SECURITY: &apos;_formvars&apos; form input must now be JSON encoded, not PHP serialized.
</notes>
</release>
</changelog>

0 comments on commit da6afc7

Please sign in to comment.