Skip to content

Commit

Permalink
MDL-70823 mod: safely parse module display options array.
Browse files Browse the repository at this point in the history
  • Loading branch information
@paulholden @sarjona
paulholden authored and sarjona committed Nov 3, 2021
1 parent 294fa22 commit cdc80e6
Show file tree
Hide file tree
Showing 9 changed files with 17 additions and 17 deletions.
2 changes: 1 addition & 1 deletion mod/page/lib.php
View file
Expand Up @@ -229,7 +229,7 @@ function page_get_coursemodule_info($coursemodule) {
}

$fullurl = "$CFG->wwwroot/mod/page/view.php?id=$coursemodule->id&inpopup=1";
$options = empty($page->displayoptions) ? array() : unserialize($page->displayoptions);
$options = empty($page->displayoptions) ? [] : (array) unserialize_array($page->displayoptions);
$width = empty($options['popupwidth']) ? 620 : $options['popupwidth'];
$height = empty($options['popupheight']) ? 450 : $options['popupheight'];
$wh = "width=$width,height=$height,toolbar=no,location=no,menubar=no,copyhistory=no,status=no,directories=no,scrollbars=yes,resizable=yes";
Expand Down
2 changes: 1 addition & 1 deletion mod/page/mod_form.php
View file
Expand Up @@ -130,7 +130,7 @@ public function data_preprocessing(&$defaultvalues) {
$defaultvalues['page']['itemid'] = $draftitemid;
}
if (!empty($defaultvalues['displayoptions'])) {
$displayoptions = unserialize($defaultvalues['displayoptions']);
$displayoptions = (array) unserialize_array($defaultvalues['displayoptions']);
if (isset($displayoptions['printintro'])) {
$defaultvalues['printintro'] = $displayoptions['printintro'];
}
Expand Down
2 changes: 1 addition & 1 deletion mod/page/view.php
View file
Expand Up @@ -56,7 +56,7 @@

$PAGE->set_url('/mod/page/view.php', array('id' => $cm->id));

$options = empty($page->displayoptions) ? array() : unserialize($page->displayoptions);
$options = empty($page->displayoptions) ? [] : (array) unserialize_array($page->displayoptions);

if ($inpopup and $page->display == RESOURCELIB_DISPLAY_POPUP) {
$PAGE->set_pagelayout('popup');
Expand Down
4 changes: 2 additions & 2 deletions mod/resource/lib.php
View file
Expand Up @@ -234,7 +234,7 @@ function resource_get_coursemodule_info($coursemodule) {

if ($display == RESOURCELIB_DISPLAY_POPUP) {
$fullurl = "$CFG->wwwroot/mod/resource/view.php?id=$coursemodule->id&redirect=1";
$options = empty($resource->displayoptions) ? array() : unserialize($resource->displayoptions);
$options = empty($resource->displayoptions) ? [] : (array) unserialize_array($resource->displayoptions);
$width = empty($options['popupwidth']) ? 620 : $options['popupwidth'];
$height = empty($options['popupheight']) ? 450 : $options['popupheight'];
$wh = "width=$width,height=$height,toolbar=no,location=no,menubar=no,copyhistory=no,status=no,directories=no,scrollbars=yes,resizable=yes";
Expand All @@ -250,7 +250,7 @@ function resource_get_coursemodule_info($coursemodule) {
// add some file details as well to be used later by resource_get_optional_details() without retriving.
// Do not store filedetails if this is a reference - they will still need to be retrieved every time.
if (($filedetails = resource_get_file_details($resource, $coursemodule)) && empty($filedetails['isref'])) {
$displayoptions = @unserialize($resource->displayoptions);
$displayoptions = (array) unserialize_array($resource->displayoptions);
$displayoptions['filedetails'] = $filedetails;
$info->customdata['displayoptions'] = serialize($displayoptions);
} else {
Expand Down
8 changes: 4 additions & 4 deletions mod/resource/locallib.php
View file
Expand Up @@ -226,7 +226,7 @@ function resource_print_workaround($resource, $cm, $course, $file) {
case RESOURCELIB_DISPLAY_POPUP:
$path = '/'.$file->get_contextid().'/mod_resource/content/'.$resource->revision.$file->get_filepath().$file->get_filename();
$fullurl = file_encode_url($CFG->wwwroot.'/pluginfile.php', $path, false);
$options = empty($resource->displayoptions) ? array() : unserialize($resource->displayoptions);
$options = empty($resource->displayoptions) ? [] : (array) unserialize_array($resource->displayoptions);
$width = empty($options['popupwidth']) ? 620 : $options['popupwidth'];
$height = empty($options['popupheight']) ? 450 : $options['popupheight'];
$wh = "width=$width,height=$height,toolbar=no,location=no,menubar=no,copyhistory=no,status=no,directories=no,scrollbars=yes,resizable=yes";
Expand Down Expand Up @@ -292,7 +292,7 @@ function resource_print_heading($resource, $cm, $course, $notused = false) {
* @return string Size and type or empty string if show options are not enabled
*/
function resource_get_file_details($resource, $cm) {
$options = empty($resource->displayoptions) ? array() : @unserialize($resource->displayoptions);
$options = empty($resource->displayoptions) ? [] : (array) unserialize_array($resource->displayoptions);
$filedetails = array();
if (!empty($options['showsize']) || !empty($options['showtype']) || !empty($options['showdate'])) {
$context = context_module::instance($cm->id);
Expand Down Expand Up @@ -361,7 +361,7 @@ function resource_get_optional_details($resource, $cm) {

$details = '';

$options = empty($resource->displayoptions) ? array() : @unserialize($resource->displayoptions);
$options = empty($resource->displayoptions) ? [] : (array) unserialize_array($resource->displayoptions);
if (!empty($options['showsize']) || !empty($options['showtype']) || !empty($options['showdate'])) {
if (!array_key_exists('filedetails', $options)) {
$filedetails = resource_get_file_details($resource, $cm);
Expand Down Expand Up @@ -422,7 +422,7 @@ function resource_get_optional_details($resource, $cm) {
function resource_print_intro($resource, $cm, $course, $ignoresettings=false) {
global $OUTPUT;

$options = empty($resource->displayoptions) ? array() : unserialize($resource->displayoptions);
$options = empty($resource->displayoptions) ? [] : (array) unserialize_array($resource->displayoptions);

$extraintro = resource_get_optional_details($resource, $cm);
if ($extraintro) {
Expand Down
2 changes: 1 addition & 1 deletion mod/resource/mod_form.php
View file
Expand Up @@ -158,7 +158,7 @@ function data_preprocessing(&$default_values) {
$default_values['files'] = $draftitemid;
}
if (!empty($default_values['displayoptions'])) {
$displayoptions = unserialize($default_values['displayoptions']);
$displayoptions = (array) unserialize_array($default_values['displayoptions']);
if (isset($displayoptions['printintro'])) {
$default_values['printintro'] = $displayoptions['printintro'];
}
Expand Down
2 changes: 1 addition & 1 deletion mod/url/lib.php
View file
Expand Up @@ -226,7 +226,7 @@ function url_get_coursemodule_info($coursemodule) {

if ($display == RESOURCELIB_DISPLAY_POPUP) {
$fullurl = "$CFG->wwwroot/mod/url/view.php?id=$coursemodule->id&redirect=1";
$options = empty($url->displayoptions) ? array() : unserialize($url->displayoptions);
$options = empty($url->displayoptions) ? [] : (array) unserialize_array($url->displayoptions);
$width = empty($options['popupwidth']) ? 620 : $options['popupwidth'];
$height = empty($options['popupheight']) ? 450 : $options['popupheight'];
$wh = "width=$width,height=$height,toolbar=no,location=no,menubar=no,copyhistory=no,status=no,directories=no,scrollbars=yes,resizable=yes";
Expand Down
6 changes: 3 additions & 3 deletions mod/url/locallib.php
View file
Expand Up @@ -83,7 +83,7 @@ function url_fix_submitted_url($url) {
*/
function url_get_full_url($url, $cm, $course, $config=null) {

$parameters = empty($url->parameters) ? array() : unserialize($url->parameters);
$parameters = empty($url->parameters) ? [] : (array) unserialize_array($url->parameters);

// make sure there are no encoded entities, it is ok to do this twice
$fullurl = html_entity_decode($url->externalurl, ENT_QUOTES, 'UTF-8');
Expand Down Expand Up @@ -195,7 +195,7 @@ function url_print_heading($url, $cm, $course, $notused = false) {
function url_print_intro($url, $cm, $course, $ignoresettings=false) {
global $OUTPUT;

$options = empty($url->displayoptions) ? array() : unserialize($url->displayoptions);
$options = empty($url->displayoptions) ? [] : (array) unserialize_array($url->displayoptions);
if ($ignoresettings or !empty($options['printintro'])) {
if (trim(strip_tags($url->intro))) {
echo $OUTPUT->box_start('mod_introbox', 'urlintro');
Expand Down Expand Up @@ -284,7 +284,7 @@ function url_print_workaround($url, $cm, $course) {
$display = url_get_final_display_type($url);
if ($display == RESOURCELIB_DISPLAY_POPUP) {
$jsfullurl = addslashes_js($fullurl);
$options = empty($url->displayoptions) ? array() : unserialize($url->displayoptions);
$options = empty($url->displayoptions) ? [] : (array) unserialize_array($url->displayoptions);
$width = empty($options['popupwidth']) ? 620 : $options['popupwidth'];
$height = empty($options['popupheight']) ? 450 : $options['popupheight'];
$wh = "width=$width,height=$height,toolbar=no,location=no,menubar=no,copyhistory=no,status=no,directories=no,scrollbars=yes,resizable=yes";
Expand Down
6 changes: 3 additions & 3 deletions mod/url/mod_form.php
View file
Expand Up @@ -105,7 +105,7 @@ function definition() {
if (empty($this->current->parameters)) {
$parcount = 5;
} else {
$parcount = 5 + count(unserialize($this->current->parameters));
$parcount = 5 + count((array) unserialize_array($this->current->parameters));
$parcount = ($parcount > 100) ? 100 : $parcount;
}
$options = url_get_variable_options($config);
Expand All @@ -131,7 +131,7 @@ function definition() {

function data_preprocessing(&$default_values) {
if (!empty($default_values['displayoptions'])) {
$displayoptions = unserialize($default_values['displayoptions']);
$displayoptions = (array) unserialize_array($default_values['displayoptions']);
if (isset($displayoptions['printintro'])) {
$default_values['printintro'] = $displayoptions['printintro'];
}
Expand All @@ -143,7 +143,7 @@ function data_preprocessing(&$default_values) {
}
}
if (!empty($default_values['parameters'])) {
$parameters = unserialize($default_values['parameters']);
$parameters = (array) unserialize_array($default_values['parameters']);
$i = 0;
foreach ($parameters as $parameter=>$variable) {
$default_values['parameter_'.$i] = $parameter;
Expand Down

0 comments on commit cdc80e6

Please sign in to comment.