Added fix for unsafe unserialization reported by @mcdruid

tom-fleming · tom-fleming · commit 1966c48ecee2 · 2025-01-31T16:43:15.000-05:00
diff --git a/docroot/modules/custom/mass_entityreference/src/Plugin/EntityReferenceSelection/MassFilterEntitiesSelection.php b/docroot/modules/custom/mass_entityreference/src/Plugin/EntityReferenceSelection/MassFilterEntitiesSelection.php
@@ -28,7 +28,7 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')
     // Get the users selected filter.
     $cookie = \Drupal::requestStack()->getCurrentRequest()->cookies->get('Drupal_visitor_autocomplete_select_filter');
     if (!empty($cookie)) {
-      $types = unserialize($cookie);
+      $types = json_decode($cookie);
     }
 
     $query = $this->entityTypeManager->getStorage($target_type)->getQuery()->accessCheck();
diff --git a/docroot/modules/custom/mass_entityreference/src/Plugin/Field/FieldWidget/EntityReferenceSelectAutocompleteWidget.php b/docroot/modules/custom/mass_entityreference/src/Plugin/Field/FieldWidget/EntityReferenceSelectAutocompleteWidget.php
@@ -59,7 +59,7 @@ public function form(FieldItemListInterface $items, array &$form, FormStateInter
    */
   public static function setFilterSelect(array $form, FormStateInterface $form_state) {
     $select = $form_state->getTriggeringElement();
-    user_cookie_save(['autocomplete_select_filter' => serialize($select['#value'])]);
+    user_cookie_save(['autocomplete_select_filter' => json_encode($select['#value'])]);
     return new AjaxResponse();
   }
 

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')`
`28`	`28`	`// Get the users selected filter.`
`29`	`29`	`$cookie = \Drupal::requestStack()->getCurrentRequest()->cookies->get('Drupal_visitor_autocomplete_select_filter');`
`30`	`30`	`if (!empty($cookie)) {`
`31`		`- $types = unserialize($cookie);`
	`31`	`+ $types = json_decode($cookie);`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`$query = $this->entityTypeManager->getStorage($target_type)->getQuery()->accessCheck();`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ public function form(FieldItemListInterface $items, array &$form, FormStateInter`
`59`	`59`	`*/`
`60`	`60`	`public static function setFilterSelect(array $form, FormStateInterface $form_state) {`
`61`	`61`	`$select = $form_state->getTriggeringElement();`
`62`		`- user_cookie_save(['autocomplete_select_filter' => serialize($select['#value'])]);`
	`62`	`+ user_cookie_save(['autocomplete_select_filter' => json_encode($select['#value'])]);`
`63`	`63`	`return new AjaxResponse();`
`64`	`64`	`}`
`65`	`65`