From d31d46bea3a4e42624b5d6aa13d208b1ba740dfb Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Mon, 24 Aug 2015 13:32:27 +0000
Subject: [PATCH] using a white-list currently only matching favorites

---
 phpgwapi/inc/class.preferences.inc.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/phpgwapi/inc/class.preferences.inc.php b/phpgwapi/inc/class.preferences.inc.php
index 50ef277340..1a4aa7d67f 100644
--- a/phpgwapi/inc/class.preferences.inc.php
+++ b/phpgwapi/inc/class.preferences.inc.php
@@ -218,9 +218,11 @@ class preferences
 				$prefs[$row['preference_owner']][$app] = self::unserialize($row['preference_value']);
 
 				// fix old PHP serialized attribute-values
-				foreach($prefs[$row['preference_owner']][$app] as &$val)
+				foreach($prefs[$row['preference_owner']][$app] as $name => &$val)
 				{
-					if (is_string($val) && $val[0] != 'a' && $val[1] != ':' && ($v = php_safe_unserialize($val)))
+					if (is_string($val) && $val[0] != 'a' && $val[1] != ':' &&
+						// using a white-list currently only matching favorites
+						substr($name, 0, 9) == 'favorite_' && ($v = php_safe_unserialize($val)))
 					{
 						$val = $v;
 					}