chamilo
diff --git a/‎main/admin/career_diagram.php
Lines changed: 18 additions & 1 deletion b/‎main/admin/career_diagram.php
Lines changed: 18 additions & 1 deletion
diff --git a/‎main/admin/gradebook_list.php
Lines changed: 5 additions & 1 deletion b/‎main/admin/gradebook_list.php
Lines changed: 5 additions & 1 deletion
diff --git a/‎main/auth/sso/sso.Drupal.class.php
Lines changed: 5 additions & 1 deletion b/‎main/auth/sso/sso.Drupal.class.php
Lines changed: 5 additions & 1 deletion
diff --git a/‎main/auth/sso/sso.class.php
Lines changed: 5 additions & 1 deletion b/‎main/auth/sso/sso.class.php
Lines changed: 5 additions & 1 deletion
diff --git a/‎main/course_home/course_home.php
Lines changed: 11 additions & 1 deletion b/‎main/course_home/course_home.php
Lines changed: 11 additions & 1 deletion
diff --git a/‎main/exercise/hotspot_admin.inc.php
Lines changed: 9 additions & 7 deletions b/‎main/exercise/hotspot_admin.inc.php
Lines changed: 9 additions & 7 deletions
diff --git a/‎main/exercise/question.class.php
Lines changed: 5 additions & 1 deletion b/‎main/exercise/question.class.php
Lines changed: 5 additions & 1 deletion
diff --git a/‎main/exercise/upload_exercise.php
Lines changed: 15 additions & 1 deletion b/‎main/exercise/upload_exercise.php
Lines changed: 15 additions & 1 deletion
diff --git a/‎main/extra/upgrade_school_calendar.php
Lines changed: 8 additions & 1 deletion b/‎main/extra/upgrade_school_calendar.php
Lines changed: 8 additions & 1 deletion
diff --git a/‎main/gradebook/lib/be/category.class.php
Lines changed: 10 additions & 5 deletions b/‎main/gradebook/lib/be/category.class.php
Lines changed: 10 additions & 5 deletions
@@ -14,6 +14,12 @@
 ALTER TABLE extra_field_values modify column value longtext null;
 */
 
+use Brumann\Polyfill\Unserialize;
+use Fhaculty\Graph\Graph;
+use Fhaculty\Graph\Set\Edges;
+use Fhaculty\Graph\Set\Vertices;
+use Fhaculty\Graph\Set\VerticesMap;
+
 $cidReset = true;
 require_once __DIR__.'/../inc/global.inc.php';
 
@@ -106,7 +112,18 @@
 $tpl = new Template(get_lang('Diagram'));
 $html = Display::page_subheader2($careerInfo['name'].$urlToString);
 if (!empty($item) && isset($item['value']) && !empty($item['value'])) {
-    $graph = unserialize($item['value']);
+    /** @var Graph $graph */
+    $graph = Unserialize::unserialize(
+        $item['value'],
+        [
+            'allowed_classes' => [
+                Graph::class,
+                VerticesMap::class,
+                Vertices::class,
+                Edges::class
+            ],
+        ]
+    );
     $html .= Career::renderDiagramByColumn($graph, $tpl);
 } else {
     Display::addFlash(
 
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use Chamilo\CoreBundle\Entity\GradebookCategory;
 use Doctrine\Common\Collections\Criteria;
 use Knp\Component\Pager\Paginator;
@@ -188,7 +189,10 @@
 
             $options = [];
             if (!empty($categoryData['depends'])) {
-                $list = unserialize($categoryData['depends']);
+                $list = Unserialize::unserialize(
+                    $categoryData['depends'],
+                    ['allowed_classes' => false]
+                );
                 foreach ($list as $itemId) {
                     $courseInfo = api_get_course_info_by_id($itemId);
                     $options[$itemId] = $courseInfo['name'];
 
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use ChamiloSession as Session;
 
 /**
@@ -293,6 +294,9 @@ public function generateProfileEditingURL($userId = 0, $asAdmin = false)
      */
     private function decode_cookie($cookie)
     {
-        return unserialize(base64_decode($cookie));
+        return Unserialize::unserialize(
+            base64_decode($cookie),
+            ['allowed_classes' => false]
+        );
     }
 }
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use ChamiloSession as Session;
 
 /**
@@ -296,6 +297,9 @@ public function generateProfileEditingURL($userId = 0, $asAdmin = false)
      */
     private function decode_cookie($cookie)
     {
-        return unserialize(base64_decode($cookie));
+        return Unserialize::unserialize(
+            base64_decode($cookie),
+            ['allowed_classes' => false]
+        );
     }
 }
@@ -1,7 +1,12 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use ChamiloSession as Session;
+use Fhaculty\Graph\Graph;
+use Fhaculty\Graph\Set\Edges;
+use Fhaculty\Graph\Set\Vertices;
+use Fhaculty\Graph\Set\VerticesMap;
 
 /**
  * HOME PAGE FOR EACH COURSE.
@@ -392,7 +397,12 @@
                 );
 
                 if (!empty($item) && isset($item['value']) && !empty($item['value'])) {
-                    $graph = unserialize($item['value']);
+                    $graph = Unserialize::unserialize(
+                        $item['value'],
+                        [
+                            'allowed_classes' => [Graph::class, VerticesMap::class, Vertices::class, Edges::class],
+                        ]
+                    );
                     $diagram = Career::renderDiagram($careerInfo, $graph);
                 }
             }
 
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use ChamiloSession as Session;
 
 /**
@@ -56,13 +57,14 @@
         $objAnswer = new Answer($questionId);
     }
 
-    $color = unserialize($color);
-    $reponse = unserialize($reponse);
-    $comment = unserialize($comment);
-    $weighting = unserialize($weighting);
-    $hotspot_coordinates = unserialize($hotspot_coordinates);
-    $hotspot_type = unserialize($hotspot_type);
-    $destination = unserialize($destination);
+    $color = Unserialize::unserialize($color, ['allowed_classes' => false]);
+    $reponse = Unserialize::unserialize($reponse, ['allowed_classes' => false]);
+    $comment = Unserialize::unserialize($comment, ['allowed_classes' => false]);
+    $comment = Unserialize::unserialize($comment, ['allowed_classes' => false]);
+    $weighting = Unserialize::unserialize($weighting, ['allowed_classes' => false]);
+    $hotspot_coordinates = Unserialize::unserialize($hotspot_coordinates, ['allowed_classes' => false]);
+    $hotspot_type = Unserialize::unserialize($hotspot_type, ['allowed_classes' => false]);
+    $destination = Unserialize::unserialize($destination, ['allowed_classes' => false]);
     unset($buttonBack);
 }
 
 
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use Chamilo\CourseBundle\Entity\CQuizAnswer;
 
 /**
@@ -1145,7 +1146,10 @@ public function search_engine_edit(
                 $se_doc = $di->get_document((int) $se_ref['search_did']);
                 if ($se_doc !== false) {
                     if (($se_doc_data = $di->get_document_data($se_doc)) !== false) {
-                        $se_doc_data = unserialize($se_doc_data);
+                        $se_doc_data = Unserialize::unserialize(
+                            $se_doc_data,
+                            ['allowed_classes' => false]
+                        );
                         if (isset($se_doc_data[SE_DATA]['type']) &&
                             $se_doc_data[SE_DATA]['type'] == SE_DOCTYPE_EXERCISE_QUESTION
                         ) {
 
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use ChamiloSession as Session;
 
 /**
@@ -548,7 +549,20 @@ function lp_upload_quiz_action_handling()
         $lpObject = Session::read('lpobject');
 
         if (!empty($lpObject)) {
-            $oLP = unserialize($lpObject);
+            /** @var learnpath $oLP */
+            $oLP = Unserialize::unserialize(
+                $lpObject,
+                [
+                    'allowed_classes' => [
+                        learnpath::class,
+                        learnpathItem::class,
+                        aiccItem::class,
+                        scormItem::class,
+                        Link::class,
+                        LpItem::class,
+                    ],
+                ]
+            );
             if (is_object($oLP)) {
                 if ((empty($oLP->cc)) || $oLP->cc != api_get_course_id()) {
                     $oLP = null;
 
@@ -2,6 +2,8 @@
 /* For licensing terms, see /license.txt */
 
 // not used??
+use Brumann\Polyfill\Unserialize;
+
 exit;
 
 require_once '../inc/global.inc.php';
@@ -28,6 +30,11 @@
 $d_number = (int) $d_number;
 $sql4 = "UPDATE set_module SET cal_day_num = $d_number WHERE id = $d_id ";
 Database::query($sql4);
-print_r(unserialize(Security::remove_XSS($_POST['aaa'])));
+print_r(
+    Unserialize::unserialize(
+        Security::remove_XSS($_POST['aaa']),
+        ['allowed_classes' => false]
+    )
+);
 
 Display::display_footer();
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Brumann\Polyfill\Unserialize;
 use Chamilo\CoreBundle\Entity\GradebookCategory;
 use ChamiloSession as Session;
 
@@ -264,12 +265,16 @@ public function setIsRequirement($isRequirement)
      */
     public function setCourseListDependency($value)
     {
-        $result = [];
-        if (@unserialize($value) !== false) {
-            $result = unserialize($value);
-        }
+        $this->courseDependency = [];
 
-        $this->courseDependency = $result;
+        $unserialized = @Unserialize::unserialize(
+            $value,
+            ['allowed_classes' => false]
+        );
+
+        if (false !== $unserialized) {
+            $this->courseDependency = $unserialized;
+        }
     }
 
     /**
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`<?php`
`2`	`2`	`/* For licensing terms, see /license.txt */`
`3`	`3`
	`4`	`+use Brumann\Polyfill\Unserialize;`
`4`	`5`	`use ChamiloSession as Session;`
`5`	`6`
`6`	`7`	`/**`
`@@ -293,6 +294,9 @@ public function generateProfileEditingURL($userId = 0, $asAdmin = false)`
`293`	`294`	`*/`
`294`	`295`	`private function decode_cookie($cookie)`
`295`	`296`	`{`
`296`		`- return unserialize(base64_decode($cookie));`
	`297`	`+ return Unserialize::unserialize(`
	`298`	`+ base64_decode($cookie),`
	`299`	`+ ['allowed_classes' => false]`
	`300`	`+ );`
`297`	`301`	`}`
`298`	`302`	`}`