make detection of serialized values more robust, to allow string like eg. "a:hello"

This commit is contained in:
Ralf Becker 2014-07-13 09:39:34 +00:00
parent d1d743e4b9
commit 9adf2b402d
2 changed files with 10 additions and 11 deletions

View File

@ -313,17 +313,18 @@ class config
{ {
return $str; return $str;
} }
// handling of old PHP serialized and addslashed prefs // handling of old PHP serialized config values
$data = php_safe_unserialize($str); $data = php_safe_unserialize($str);
if($data === false) if($data === false)
{ {
// manually retrieve the string lengths of the serialized array if unserialize failed // manually retrieve the string lengths of the serialized array if unserialize failed (iso / utf-8 conversation)
$data = php_safe_unserialize(preg_replace_callback('!s:(\d+):"(.*?)";!s', function($matches) $data = php_safe_unserialize(preg_replace_callback('!s:(\d+):"(.*?)";!s', function($matches)
{ {
return 's:'.mb_strlen($matches[2],'8bit').':"'.$matches[2].'";'; return 's:'.mb_strlen($matches[2],'8bit').':"'.$matches[2].'";';
}, $str)); }, $str));
} }
return $data; // returning original string, if unserialize failed, eg. for "a:hello"
return $data === false ? $str : $data;
} }
/** /**

View File

@ -1549,7 +1549,7 @@ function php_safe_unserialize($str)
preg_match('/(^|;|{)[OC]:\d+:"/', $str)) preg_match('/(^|;|{)[OC]:\d+:"/', $str))
{ {
error_log(__METHOD__."('$str') contains objects --> return false"); error_log(__METHOD__."('$str') contains objects --> return false");
return false; return null; // null, not false, to not trigger behavior of returning string itself to app code
} }
return unserialize($str); return unserialize($str);
} }
@ -1601,18 +1601,16 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_
*/ */
function json_php_unserialize($str, $allow_not_serialized=false) function json_php_unserialize($str, $allow_not_serialized=false)
{ {
if ($str[0] == 'a' && $str[1] == ':' || $str === 'N;') if (($str[0] == 'a' && $str[1] == ':' || $str === 'N;') &&
($arr = php_safe_unserialize($str)) !== false)
{ {
return php_safe_unserialize($str); return $arr;
} }
elseif (!$allow_not_serialized || $str[0] == '[' || $str[0] == '{') if (!$allow_not_serialized || $str[0] == '[' || $str[0] == '{')
{ {
return json_decode($str, true); return json_decode($str, true);
} }
else return $str;
{
return $str;
}
} }
/** /**