From 9adf2b402dbdf92aa9b20aa7d04e8e692c9b1082 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Sun, 13 Jul 2014 09:39:34 +0000
Subject: [PATCH] make detection of serialized values more robust, to allow
 string like eg. "a:hello"

---
 phpgwapi/inc/class.config.inc.php     |  7 ++++---
 phpgwapi/inc/common_functions.inc.php | 14 ++++++--------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/phpgwapi/inc/class.config.inc.php b/phpgwapi/inc/class.config.inc.php
index b90ca0efde..fc6adbed46 100755
--- a/phpgwapi/inc/class.config.inc.php
+++ b/phpgwapi/inc/class.config.inc.php
@@ -313,17 +313,18 @@ class config
 		{
 			return $str;
 		}
-		// handling of old PHP serialized and addslashed prefs
+		// handling of old PHP serialized config values
 		$data = php_safe_unserialize($str);
 		if($data === false)
 		{
-			// manually retrieve the string lengths of the serialized array if unserialize failed
+			// manually retrieve the string lengths of the serialized array if unserialize failed (iso / utf-8 conversation)
 			$data = php_safe_unserialize(preg_replace_callback('!s:(\d+):"(.*?)";!s', function($matches)
 			{
 				return 's:'.mb_strlen($matches[2],'8bit').':"'.$matches[2].'";';
 			}, $str));
 		}
-		return $data;
+		// returning original string, if unserialize failed, eg. for "a:hello"
+		return $data === false ? $str : $data;
 	}
 
 	/**
diff --git a/phpgwapi/inc/common_functions.inc.php b/phpgwapi/inc/common_functions.inc.php
index d703a46316..08c68c1bfc 100755
--- a/phpgwapi/inc/common_functions.inc.php
+++ b/phpgwapi/inc/common_functions.inc.php
@@ -1549,7 +1549,7 @@ function php_safe_unserialize($str)
 		preg_match('/(^|;|{)[OC]:\d+:"/', $str))
 	{
 		error_log(__METHOD__."('$str') contains objects --> return false");
-		return false;
+		return null;	// null, not false, to not trigger behavior of returning string itself to app code
 	}
 	return unserialize($str);
 }
@@ -1601,18 +1601,16 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_
  */
 function json_php_unserialize($str, $allow_not_serialized=false)
 {
-	if ($str[0] == 'a' && $str[1] == ':' || $str === 'N;')
+	if (($str[0] == 'a' && $str[1] == ':' || $str === 'N;') &&
+		($arr = php_safe_unserialize($str)) !== false)
 	{
-		return php_safe_unserialize($str);
+		return $arr;
 	}
-	elseif (!$allow_not_serialized || $str[0] == '[' || $str[0] == '{')
+	if (!$allow_not_serialized || $str[0] == '[' || $str[0] == '{')
 	{
 		return json_decode($str, true);
 	}
-	else
-	{
-		return $str;
-	}
+	return $str;
 }
 
 /**