Contrib.social

unserialize() is insecure unless allowed classes are limited. Use a safe format like JSON or use the allowed_classes option

Open on Drupal.org →
Created on 14 June 2023, almost 2 years ago
Updated 16 January 2024, about 1 year ago

Problem/Motivation

FILE: D:\xampp\htdocs\drupal_10\web\modules\contrib\honeypot\tests\fixtures\update\drupal-8.honeypot-add-hostname-column-3121331.php
-------------------------------------------------------------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
-------------------------------------------------------------------------------------------------------------------------------------------
60 | ERROR | unserialize() is insecure unless allowed classes are limited. Use a safe format like JSON or use the allowed_classes option.
-------------------------------------------------------------------------------------------------------------------------------------------

Proposed resolution

$extensions = unserialize($extensions, ['allowed_classes' => FALSE]);

📌 Task
Status

Postponed: needs info

Version

2.1

Component

Code

Created by

🇮🇳India arti_parmar

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @arti_parmar
  • Issue was unassigned.
  • Status changed to Needs review almost 2 years ago
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.3 & MySQL 5.7
    last update almost 2 years ago
    27 pass
  • Comment almost 2 years ago
    🇮🇳India arti_parmar

    Kindly review patch.

  • Comment almost 2 years ago
    🇺🇸United States tr Cascadia

    Your patch is not wrong, but it's not necessary either. This is a test fixture which is used only when running tests on the testbot. The input is constrained and there is no way this specific usage poses a security vulnerability for any site that has honeypot installed.

    Specifically, this exact usage of unserialize() in test fixtures is copied directly from core, so if you think this is a problem then please open up an issue for core Drupal and report it. That is where it needs to be fixed, because there are hundreds of contributed modules which copy this usage from core. Fixing it here without reporting it in the core queue would be irresponsible.

    See
    core/modules/system/tests/fixtures/update/drupal-8.update-test-schema-enabled.php
    core/modules/system/tests/fixtures/update/drupal-8.update-test-semver-update-n-enabled.php
    core/modules/ckeditor5/tests/fixtures/update/ckeditor5-3222756.php
    core/modules/ckeditor5/tests/fixtures/update/ckeditor5-3259593.php

  • Comment over 1 year ago
    🇺🇸United States tr Cascadia

    @arti_parmar: Did you open a core issue?

  • Status changed to Postponed: needs info about 1 year ago
  • Comment about 1 year ago
    🇺🇸United States tr Cascadia
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024