Clean up unserialize() in the migration modules

Open on Drupal.org →

Created on 19 May 2025, 13 days ago

Background information

This was originally logged as a private issue to the security team, but was cleared to be moved to the public queue

security.drupal.org private issue: https://security.drupal.org/node/182951
(included for reference. Please do not report access denied as an error.)

Problem/Motivation

There are several calls to unserialize() in the migration modules (migrate, migrate_drupal, and migrate_drupal_ui). We should add the optional $options parameter to most or all of these, setting allowed_classes.

Proposed resolution

Remaining tasks

User interface changes

None

Introduced terminology

None

API changes

None

Data model changes

None

Release notes snippet

N/A

📌 Task

Status

Active

Version

11.0 🔥

Component

migration system

Created by

🇺🇸United States benjifisher Boston area

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

!12166Clean up unserialize() in the migration modules
Open
🇺🇸United States benjifisher
updated 13 days ago

Comments & Activities

Issue created by @benjifisher
Comment 13 days ago →
🇬🇧United Kingdom catch
benjifisher → credited catch → .
Comment 13 days ago →
🇺🇸United States greggles Denver, Colorado, USA
benjifisher → credited greggles → .
Comment 13 days ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
benjifisher → credited larowlan → .
Comment 13 days ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
benjifisher → credited mcdruid → .
Comment 13 days ago →
🇺🇸United States benjifisher Boston area
Comment 13 days ago →
🇺🇸United States benjifisher Boston area
I added , ['allowed_classes' => FALSE] everywhere. Let's see what that does to the automated tests.
Merge request !12166Add ['allowed_classes' => FALSE] to unserialize() in migrate modules → (Open) created by benjifisher
Pipeline finished with Failed
13 days ago
#500444
Pipeline finished with Success
13 days ago
Total: 488s
#500470
Comment 5 days ago →
🇺🇸United States smustgrave
not 100% how to test but talked a little in the related issue 📌 Clean up unserialize() in the config system Active , relying on the tests for this one which are green. Since migration is marked to be removed in D12 and issues are being postponed might be good to get this in now. So going to mark it.
Comment 5 days ago →
🇺🇸United States benjifisher Boston area
Thanks for the review.

Since migration is marked to be removed in D12 and issues are being postponed might be good to get this in now.

The plan is to remove the migrate_drupal and migrate_drupal_ui modules. The migrate module is going to stay in Drupal core (maybe not forever). MR !12166 includes changes for all three.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024