r51341 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r51340‎ | r51341 | r51342 >
Date:12:59, 2 June 2009
Author:werdna
Status:ok
Tags:
Comment:
Per comments on code review, use JSON instead of PHP serialization for Abuse Filter data interchange. PHP's unserialize() can expose remote code execution vulnerabilities with some input.
Modified paths:
  • /trunk/extensions/AbuseFilter/Views/AbuseFilterViewEdit.php (modified) (history)
  • /trunk/phase3/includes/GlobalFunctions.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/GlobalFunctions.php
@@ -3127,3 +3127,17 @@
31283128
31293129 return $output;
31303130 }
 3131+
 3132+/* Recursively converts the parameter (an object) to an array with the same data */
 3133+function wfObjectToArray( $object, $recursive = true ) {
 3134+ $array = array();
 3135+ foreach ( get_object_vars($object) as $key => $value ) {
 3136+ if ( is_object($value) && $recursive ) {
 3137+ $value = wfObjectToArray( $value );
 3138+ }
 3139+
 3140+ $array[$key] = $value;
 3141+ }
 3142+
 3143+ return $array;
 3144+}
Index: trunk/extensions/AbuseFilter/Views/AbuseFilterViewEdit.php
@@ -368,7 +368,7 @@
369369 }
370370
371371 // Add export
372 - $exportText = serialize( array( 'row' => $row, 'actions' => $actions ) );
 372+ $exportText = json_encode( array( 'row' => $row, 'actions' => $actions ) );
373373 $tools .= Xml::tags( 'a', array( 'href' => 'javascript:afShowExport();' ),
374374 wfMsgExt( 'abusefilter-edit-export', 'parseinline' ) );
375375 $tools .= Xml::element( 'textarea',
@@ -676,10 +676,10 @@
677677 // Check for importing
678678 $import = $wgRequest->getVal( 'wpImportText' );
679679 if ($import) {
680 - $data = unserialize($import);
 680+ $data = json_decode($import);
681681
682 - $importRow = $data['row'];
683 - $actions = $data['actions'];
 682+ $importRow = $data->row;
 683+ $actions = wfObjectToArray( $data->actions );
684684
685685 $copy = array(
686686 'af_public_comments',

Status & tagging log