make detection of serialized values more robust, to allow string like eg. "a:hello"

This commit is contained in:
Ralf Becker 2014-07-13 09:39:34 +00:00
parent d1d743e4b9
commit 9adf2b402d
2 changed files with 10 additions and 11 deletions

View File

@ -313,17 +313,18 @@ class config
{
return $str;
}
// handling of old PHP serialized and addslashed prefs
// handling of old PHP serialized config values
$data = php_safe_unserialize($str);
if($data === false)
{
// manually retrieve the string lengths of the serialized array if unserialize failed
// manually retrieve the string lengths of the serialized array if unserialize failed (iso / utf-8 conversation)
$data = php_safe_unserialize(preg_replace_callback('!s:(\d+):"(.*?)";!s', function($matches)
{
return 's:'.mb_strlen($matches[2],'8bit').':"'.$matches[2].'";';
}, $str));
}
return $data;
// returning original string, if unserialize failed, eg. for "a:hello"
return $data === false ? $str : $data;
}
/**

View File

@ -1549,7 +1549,7 @@ function php_safe_unserialize($str)
preg_match('/(^|;|{)[OC]:\d+:"/', $str))
{
error_log(__METHOD__."('$str') contains objects --> return false");
return false;
return null; // null, not false, to not trigger behavior of returning string itself to app code
}
return unserialize($str);
}
@ -1601,19 +1601,17 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_
*/
function json_php_unserialize($str, $allow_not_serialized=false)
{
if ($str[0] == 'a' && $str[1] == ':' || $str === 'N;')
if (($str[0] == 'a' && $str[1] == ':' || $str === 'N;') &&
($arr = php_safe_unserialize($str)) !== false)
{
return php_safe_unserialize($str);
return $arr;
}
elseif (!$allow_not_serialized || $str[0] == '[' || $str[0] == '{')
if (!$allow_not_serialized || $str[0] == '[' || $str[0] == '{')
{
return json_decode($str, true);
}
else
{
return $str;
}
}
/**
* php5 autoload function for eGroupWare understanding the following naming schema: