unserialize() is insecure unless allowed classes are limited. Use a safe format like JSON or use the allowed_classes option.

Kindly review patch.

Most of this patch is outdated because of this update: 🐛 Getting error page after the latest ACL module security update. Fixed

We now use JSON. Is it still necessary to use the allowed_classes option?

@gisle we still use serialize/unserialize in a few places, right?

• https://git.drupalcode.org/project/content_access/-/blob/16475b64565a481...
• https://git.drupalcode.org/project/content_access/-/blob/16475b64565a481...

Essentially, if we're only ever intending to store scalar values and arrays in those places, we should indeed pass , ['allowed_classes' => FALSE] as per this patch.

So yeah, I think we need this in 2.0.x.

Setting to needs work, as someone needs to provide an updated patch.

It is still used two places, in content_access.module. and in an update hook is content_access.install.

Readinng the manual page (PHP.net: unserialize), it looks like the second option should be ['allowed_classes' => FALSE] if we're unserializing an array.

I've rerolled the patch to reflect this. Please review.

Thanks @arti_parmar and @gisle this looks to have been committed here: https://git.drupalcode.org/project/content_access/-/commit/f052779116bc9...
albeit with the wrong commit message, no worries.

This made it into 2.0.0 too!

Automatically closed - issue fixed for 2 weeks with no activity.