File tree 2 files changed +13
-8
lines changed
2 files changed +13
-8
lines changed Original file line number Diff line number Diff line change @@ -61,7 +61,9 @@ static public function getDefaultVariables($sanitize = false)
6161 * Constructor.
6262 *
6363 * @param array $vars The list of form variables (if null, defaults
64- * to PHP's $_REQUEST value).
64+ * to PHP's $_REQUEST value). If '_formvars'
65+ * exists, it must be a JSON encoded array that
66+ * contains the list of allowed form variables.
6567 * @param string $sanitize Sanitize the input variables?
6668 */
6769 public function __construct ($ vars = array (), $ sanitize = false )
@@ -72,7 +74,7 @@ public function __construct($vars = array(), $sanitize = false)
7274 }
7375
7476 if (isset ($ vars ['_formvars ' ])) {
75- $ this ->_expected = @unserialize ($ vars ['_formvars ' ]);
77+ $ this ->_expected = @json_decode ($ vars ['_formvars ' ], true );
7678 unset($ vars ['_formvars ' ]);
7779 }
7880
Original file line number Diff line number Diff line change 2626 <date >2013-05-06</date >
2727 <time >19:34:35</time >
2828 <version >
29- <release >2.2.3 </release >
30- <api >2.2 .0</api >
29+ <release >2.3.0 </release >
30+ <api >2.3 .0</api >
3131 </version >
3232 <stability >
3333 <release >stable</release >
3434 <api >stable</api >
3535 </stability >
3636 <license uri =" http://www.horde.org/licenses/lgpl21" >LGPL-2.1</license >
3737 <notes >
38- *
38+ * [mms] SECURITY: ' _formvars ' form input must now be JSON encoded, not PHP serialized.
3939 </notes >
4040 <contents >
4141 <dir baseinstalldir =" /" name =" /" >
116116 <extension >
117117 <name >iconv</name >
118118 </extension >
119+ <extension >
120+ <name >json</name >
121+ </extension >
119122 <extension >
120123 <name >mbstring</name >
121124 </extension >
@@ -619,15 +622,15 @@ Converted to package.xml 2.0 for pear.horde.org
619622 </release >
620623 <release >
621624 <version >
622- <release >2.2.3 </release >
623- <api >2.2 .0</api ></version >
625+ <release >2.3.0 </release >
626+ <api >2.3 .0</api ></version >
624627 <stability >
625628 <release >stable</release >
626629 <api >stable</api ></stability >
627630 <date >2013-05-06</date >
628631 <license uri =" http://www.horde.org/licenses/lgpl21" >LGPL-2.1</license >
629632 <notes >
630- *
633+ * [mms] SECURITY: ' _formvars ' form input must now be JSON encoded, not PHP serialized.
631634 </notes >
632635 </release >
633636 </changelog >
You can’t perform that action at this time.
0 commit comments