Skip to content

/ pkp-lib

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use json_encode/json_decode instead of serialize/unserialize in report generator #5302

Closed
asmecher opened this issue Nov 26, 2019 · 1 comment
Closed

Use json_encode/json_decode instead of serialize/unserialize in report generator #5302

asmecher opened this issue Nov 26, 2019 · 1 comment
Assignees
@asmecher
Labels
Critical Issue
Milestone
OJS/OMP 3.1.2-2

Comments

@asmecher
Copy link
Member

@asmecher asmecher commented Nov 26, 2019
edited

JSON is limited to simple constructs like arrays, strings, and numbers. serialize/unserialize can be used to describe more complex objects, which may not be trustworthy.

Use json_encode/json_decode instead of serialize/unserialize in the report generator. Review elsewhere for similar usage.

This is a potential security issue -- PHP unserialize can be used for code injections. Abuse of this issue requires Journal Manager access; social engineering is possible, if a logged-in Journal Manager can be tricked into visiting a specially-crafted (albeit long) URL.

This is corrected in OJS/OMP 3.1.2-2 or newer. See #5302 (comment) for patching instructions for older versions.

Affects OJS 3.x and OMP installations 3.1.2-1 and older.

Thanks to Franek Kalinowski, Isec.pl Research Team for discovering and reporting the issue! This has been assigned CVE ID CVE-2019-19909.
@asmecher asmecher added this to the OJS/OMP 3.1.2-2 milestone Nov 26, 2019
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
e95653b
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
ef43433
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
5f75a4d
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
dccee91
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
7343ec5
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
ee472a1
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
c80fed7
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
f7ca045
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
a8ca554
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
dcea7ec
asmecher added a commit that referenced this issue Nov 26, 2019
@asmecher
#5302 Use JSON rather than PHP serialization
7808c1e
@asmecher

This comment has been minimized.

Sign in to view
Copy link
Member Author

@asmecher asmecher commented Nov 26, 2019

To patch an existing OJS 3.x or OMP installation, apply this patch in the lib/pkp directory of your installation. For example:

cd lib/pkp
wget -O - -q "https://github.com/pkp/pkp-lib/commit/7808c1e50cd8545f239c9192d049bb614807b475.diff" | patch -p1

You should get something like:

checking file classes/statistics/PKPStatisticsHelper.inc.php
checking file pages/management/PKPToolsHandler.inc.php
Hunk #1 succeeded at 200 (offset 30 lines).

If you see any error messages, double-check that the patch applied correctly.

This issue will be fixed in OJS and OMP 3.1.2-2 and newer.
@asmecher asmecher closed this Nov 26, 2019
asmecher added a commit to pkp/usageStats that referenced this issue Nov 28, 2019
@asmecher
pkp/pkp-lib#5302 Usage stats report plugin serialization to JSON
1dc0caf
asmecher added a commit to pkp/usageStats that referenced this issue Nov 28, 2019
@asmecher
pkp/pkp-lib#5302 Usage stats report plugin serialization to JSON
c1d1f0c
asmecher added a commit that referenced this issue Dec 3, 2019
@asmecher
#5302 Cast stdClass to array to avoid warnings
8486017
@asmecher asmecher self-assigned this Dec 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asmecher asmecher

Labels
Critical Issue
Projects
None yet
Milestone
  OJS/OMP 3.1.2-2
1 participant
@asmecher
You can’t perform that action at this time.