- ๐บ๐ธUnited States nicxvan
Went through it a couple of times.
Just one question in the mr.
- ๐ฉ๐ชGermany geek-merlin Freiburg, Germany
Updated reply to @wimleers' comment regarding security of unserializing:
We already have that unrestricted unserialize in \Drupal\Core\Entity\Sql\SqlContentEntityStorage::mapFromStorageRecords today.
So if we need security hardening here, it's a separate issue.That said, after some thinking i share the concern about API-injected evil classes into field data. Thinking about where to open that issue.
- ๐ฉ๐ชGermany geek-merlin Freiburg, Germany
As of @wimleers' comment regarding security of unserializing:
SA-CORE-2019-003 โ is about user-entered form data.
This unserializes app-controlled data from the DB, the same as in \Drupal\Core\Cache\DatabaseBackend::prepareItem.
(Adding a comment to ALL such places makes a lot of sense though.)