Skip to content

Commit da6afc7

Browse files
committed
[mms] SECURITY: '_formvars' form input must now be JSON encoded, not PHP serialized.
1 parent 1b71a72 commit da6afc7

File tree

2 files changed

+13
-8
lines changed

2 files changed

+13
-8
lines changed

Diff for: framework/Util/lib/Horde/Variables.php

+4-2
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false)
6161
* Constructor.
6262
*
6363
* @param array $vars The list of form variables (if null, defaults
64-
* to PHP's $_REQUEST value).
64+
* to PHP's $_REQUEST value). If '_formvars'
65+
* exists, it must be a JSON encoded array that
66+
* contains the list of allowed form variables.
6567
* @param string $sanitize Sanitize the input variables?
6668
*/
6769
public function __construct($vars = array(), $sanitize = false)
@@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false)
7274
}
7375

7476
if (isset($vars['_formvars'])) {
75-
$this->_expected = @unserialize($vars['_formvars']);
77+
$this->_expected = @json_decode($vars['_formvars'], true);
7678
unset($vars['_formvars']);
7779
}
7880

Diff for: framework/Util/package.xml

+9-6
Original file line numberDiff line numberDiff line change
@@ -26,16 +26,16 @@
2626
<date>2013-05-06</date>
2727
<time>19:34:35</time>
2828
<version>
29-
<release>2.2.3</release>
30-
<api>2.2.0</api>
29+
<release>2.3.0</release>
30+
<api>2.3.0</api>
3131
</version>
3232
<stability>
3333
<release>stable</release>
3434
<api>stable</api>
3535
</stability>
3636
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
3737
<notes>
38-
*
38+
* [mms] SECURITY: &apos;_formvars&apos; form input must now be JSON encoded, not PHP serialized.
3939
</notes>
4040
<contents>
4141
<dir baseinstalldir="/" name="/">
@@ -116,6 +116,9 @@
116116
<extension>
117117
<name>iconv</name>
118118
</extension>
119+
<extension>
120+
<name>json</name>
121+
</extension>
119122
<extension>
120123
<name>mbstring</name>
121124
</extension>
@@ -619,15 +622,15 @@ Converted to package.xml 2.0 for pear.horde.org
619622
</release>
620623
<release>
621624
<version>
622-
<release>2.2.3</release>
623-
<api>2.2.0</api></version>
625+
<release>2.3.0</release>
626+
<api>2.3.0</api></version>
624627
<stability>
625628
<release>stable</release>
626629
<api>stable</api></stability>
627630
<date>2013-05-06</date>
628631
<license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
629632
<notes>
630-
*
633+
* [mms] SECURITY: &apos;_formvars&apos; form input must now be JSON encoded, not PHP serialized.
631634
</notes>
632635
</release>
633636
</changelog>

0 commit comments

Comments
 (0)