Clean up unserialize() in the config system

Issue created by @benjifisher
Comment 13 days ago →
🇬🇧United Kingdom catch
benjifisher → credited catch → .
Comment 13 days ago →
🇺🇸United States greggles Denver, Colorado, USA
benjifisher → credited greggles → .
Comment 13 days ago →
🇦🇺Australia larowlan 🇦🇺🏝.au GMT+10
benjifisher → credited larowlan → .
Comment 13 days ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
benjifisher → credited mcdruid → .
Comment 13 days ago →
🇺🇸United States benjifisher Boston area
Merge request !12167Config objects should be simple arrays → (Open) created by benjifisher
Comment 13 days ago →
🇺🇸United States benjifisher Boston area
I think it is all right to allow stClass, but tests are passing with ['allowed_classes' => FALSE], so let's at least consider that.

Does this issue need a change record? If there are any contrib or custom modules that extend the DatabaseStorage class, and they need to allow other classes in unserialize(), then the good news is that they can easily override the decode() method, which is now

public function decode($raw) { $data = @unserialize($raw, ['allowed_classes' => FALSE]); return is_array($data) ? $data : FALSE; }
Pipeline finished with Success
13 days ago
Total: 2745s
#500493
Comment 13 days ago →
🇺🇸United States benjifisher Boston area
Comment 10 days ago →
🇺🇸United States smustgrave
I see there is one more @unserialize is that impacted?

🇺🇸United States benjifisher Boston area

This issue is scoped to the Config system, and I think there is only one:

$ grep -ri unserialize core/lib/Drupal/Core/Config
core/lib/Drupal/Core/Config/DatabaseStorage.php:   *   The unserialize() call will trigger E_NOTICE if the string cannot
core/lib/Drupal/Core/Config/DatabaseStorage.php:   *   be unserialized.
core/lib/Drupal/Core/Config/DatabaseStorage.php:    $data = @unserialize($raw);

Did I miss something or are you thinking of something outside the Config system?

Comment 9 days ago →
🇺🇸United States smustgrave
No just saw this other instance and didn't know if it had the same problem.
Comment 9 days ago →
🇺🇸United States benjifisher Boston area
Then I guess you mean the usage in the dblog module:

$ grep -ri @unserialize core core/modules/dblog/src/Controller/DbLogController.php: $variables = @unserialize($row->variables); core/lib/Drupal/Core/Config/DatabaseStorage.php: $data = @unserialize($raw);
The @ just tells PHP to ignore errors from serialize(): see Error Control Operators in the PHP docs. There are many other calls to serialize() in Drupal core.

In the long run, we should switch to using json_encode() and json_decode() (or the equivalent methods in Drupal\Component\Serialization\Json) whenever possible instead of serialize() and unserialize(). In the short run, it is less disruptive to specify allowed_classes.
Comment 9 days ago →
🇺🇸United States benjifisher Boston area
Comment 5 days ago →
🇺🇸United States smustgrave
Not 100% how else to test so am relying on tests, which are green. Locally nothing seems broken so going to go on a limb

Clean up unserialize() in the config system

Background information

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Merge Requests

!12167Clean up unserialize() in the config system
Open

Comments & Activities

Clean up unserialize() in the config system

Background information

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Merge Requests

!12167Clean up unserialize() in the config systemOpen

Comments & Activities

!12167Clean up unserialize() in the config system
Open