diff --git a/composer.json b/composer.json index 24a2aac9bbc..37d4a60285f 100755 --- a/composer.json +++ b/composer.json @@ -112,7 +112,8 @@ "knplabs/knp-components": "~1.3", "guzzlehttp/guzzle": "~6.0", "onelogin/php-saml": "^3.0", - "symfony/dom-crawler": "~3.4" + "symfony/dom-crawler": "~3.4", + "brumann/polyfill-unserialize": "^1.0" }, "require-dev": { "behat/behat": "@stable", diff --git a/main/admin/career_diagram.php b/main/admin/career_diagram.php index fb16c91dd18..b118663cde2 100644 --- a/main/admin/career_diagram.php +++ b/main/admin/career_diagram.php @@ -14,6 +14,8 @@ ALTER TABLE extra_field_values modify column value longtext null; */ +use Fhaculty\Graph\Graph; + $cidReset = true; require_once __DIR__.'/../inc/global.inc.php'; @@ -106,7 +108,8 @@ $tpl = new Template(get_lang('Diagram')); $html = Display::page_subheader2($careerInfo['name'].$urlToString); if (!empty($item) && isset($item['value']) && !empty($item['value'])) { - $graph = unserialize($item['value']); + /** @var Graph $graph */ + $graph = api_unserialize_content('career', $item['value']); $html .= Career::renderDiagramByColumn($graph, $tpl); } else { Display::addFlash( diff --git a/main/admin/gradebook_list.php b/main/admin/gradebook_list.php index 056391a1a43..ae5b25deba7 100644 --- a/main/admin/gradebook_list.php +++ b/main/admin/gradebook_list.php @@ -188,7 +188,7 @@ $options = []; if (!empty($categoryData['depends'])) { - $list = unserialize($categoryData['depends']); + $list = api_unserialize_content('not_allowed_classes', $categoryData['depends']); foreach ($list as $itemId) { $courseInfo = api_get_course_info_by_id($itemId); $options[$itemId] = $courseInfo['name']; diff --git a/main/auth/sso/sso.Drupal.class.php b/main/auth/sso/sso.Drupal.class.php index e3962028372..83551b05716 100755 --- a/main/auth/sso/sso.Drupal.class.php +++ b/main/auth/sso/sso.Drupal.class.php @@ -293,6 +293,9 @@ public function generateProfileEditingURL($userId = 0, $asAdmin = false) */ private function decode_cookie($cookie) { - return unserialize(base64_decode($cookie)); + return api_unserialize_content( + 'not_allowed_classes', + base64_decode($cookie) + ); } } diff --git a/main/auth/sso/sso.class.php b/main/auth/sso/sso.class.php index 46e3d8d9236..81593515c91 100755 --- a/main/auth/sso/sso.class.php +++ b/main/auth/sso/sso.class.php @@ -296,6 +296,9 @@ public function generateProfileEditingURL($userId = 0, $asAdmin = false) */ private function decode_cookie($cookie) { - return unserialize(base64_decode($cookie)); + return api_unserialize_content( + 'not_allowed_classes', + base64_decode($cookie) + ); } } diff --git a/main/course_home/course_home.php b/main/course_home/course_home.php index f77669ad96c..22d5599c229 100755 --- a/main/course_home/course_home.php +++ b/main/course_home/course_home.php @@ -2,6 +2,7 @@ /* For licensing terms, see /license.txt */ use ChamiloSession as Session; +use Fhaculty\Graph\Graph; /** * HOME PAGE FOR EACH COURSE. @@ -392,7 +393,11 @@ ); if (!empty($item) && isset($item['value']) && !empty($item['value'])) { - $graph = unserialize($item['value']); + /** @var Graph $graph */ + $graph = api_unserialize_content( + 'career', + $item['value'] + ); $diagram = Career::renderDiagram($careerInfo, $graph); } } diff --git a/main/exercise/hotspot_admin.inc.php b/main/exercise/hotspot_admin.inc.php index 2835d19a3b5..10d690864a3 100755 --- a/main/exercise/hotspot_admin.inc.php +++ b/main/exercise/hotspot_admin.inc.php @@ -56,13 +56,13 @@ $objAnswer = new Answer($questionId); } - $color = unserialize($color); - $reponse = unserialize($reponse); - $comment = unserialize($comment); - $weighting = unserialize($weighting); - $hotspot_coordinates = unserialize($hotspot_coordinates); - $hotspot_type = unserialize($hotspot_type); - $destination = unserialize($destination); + $color = api_unserialize_content('not_allowed_classes', $color); + $reponse = api_unserialize_content('not_allowed_classes', $reponse); + $comment = api_unserialize_content('not_allowed_classes', $comment); + $weighting = api_unserialize_content('not_allowed_classes', $weighting); + $hotspot_coordinates = api_unserialize_content('not_allowed_classes', $hotspot_coordinates); + $hotspot_type = api_unserialize_content('not_allowed_classes', $hotspot_type); + $destination = api_unserialize_content('not_allowed_classes', $destination); unset($buttonBack); } diff --git a/main/exercise/question.class.php b/main/exercise/question.class.php index 112d757e632..de47e439528 100755 --- a/main/exercise/question.class.php +++ b/main/exercise/question.class.php @@ -1145,7 +1145,10 @@ public function search_engine_edit( $se_doc = $di->get_document((int) $se_ref['search_did']); if ($se_doc !== false) { if (($se_doc_data = $di->get_document_data($se_doc)) !== false) { - $se_doc_data = unserialize($se_doc_data); + $se_doc_data = api_unserialize_content( + 'not_allowed_classes', + $se_doc_data + ); if (isset($se_doc_data[SE_DATA]['type']) && $se_doc_data[SE_DATA]['type'] == SE_DOCTYPE_EXERCISE_QUESTION ) { diff --git a/main/exercise/upload_exercise.php b/main/exercise/upload_exercise.php index d535cb7e9a1..74988862023 100755 --- a/main/exercise/upload_exercise.php +++ b/main/exercise/upload_exercise.php @@ -548,7 +548,8 @@ function lp_upload_quiz_action_handling() $lpObject = Session::read('lpobject'); if (!empty($lpObject)) { - $oLP = unserialize($lpObject); + /** @var learnpath $oLP */ + $oLP = api_unserialize_content('lp', $lpObject); if (is_object($oLP)) { if ((empty($oLP->cc)) || $oLP->cc != api_get_course_id()) { $oLP = null; diff --git a/main/extra/upgrade_school_calendar.php b/main/extra/upgrade_school_calendar.php index 0cdd51344a7..a769f65b5a6 100644 --- a/main/extra/upgrade_school_calendar.php +++ b/main/extra/upgrade_school_calendar.php @@ -2,6 +2,7 @@ /* For licensing terms, see /license.txt */ // not used?? + exit; require_once '../inc/global.inc.php'; @@ -28,6 +29,11 @@ $d_number = (int) $d_number; $sql4 = "UPDATE set_module SET cal_day_num = $d_number WHERE id = $d_id "; Database::query($sql4); -print_r(unserialize(Security::remove_XSS($_POST['aaa']))); +print_r( + api_unserialize_content( + 'not_allowed_classes', + Security::remove_XSS($_POST['aaa']) + ) +); Display::display_footer(); diff --git a/main/gradebook/lib/be/category.class.php b/main/gradebook/lib/be/category.class.php index f12b95f7c0f..10b43b8eb56 100755 --- a/main/gradebook/lib/be/category.class.php +++ b/main/gradebook/lib/be/category.class.php @@ -264,12 +264,13 @@ public function setIsRequirement($isRequirement) */ public function setCourseListDependency($value) { - $result = []; - if (@unserialize($value) !== false) { - $result = unserialize($value); - } + $this->courseDependency = []; - $this->courseDependency = $result; + $unserialized = api_unserialize_content('not_allowed_classes', $value, true); + + if (false !== $unserialized) { + $this->courseDependency = $unserialized; + } } /** diff --git a/main/inc/lib/api.lib.php b/main/inc/lib/api.lib.php index ef61a24cfdf..c63cb350e05 100644 --- a/main/inc/lib/api.lib.php +++ b/main/inc/lib/api.lib.php @@ -1,10 +1,43 @@ $allowedClasses] + ); + } + + return Unserialize::unserialize( + $serialized, + ['allowed_classes' => $allowedClasses] + ); +} diff --git a/main/inc/lib/array.lib.php b/main/inc/lib/array.lib.php index 80b9957abea..403b3f36a43 100755 --- a/main/inc/lib/array.lib.php +++ b/main/inc/lib/array.lib.php @@ -27,7 +27,7 @@ function array_unique_dimensional($array) $array = array_unique($array); foreach ($array as &$myvalue) { - $myvalue = unserialize($myvalue); + $myvalue = api_unserialize_content('not_allowed_clases', $myvalue); } return $array; diff --git a/main/inc/lib/plugin.class.php b/main/inc/lib/plugin.class.php index 34f2a0df2e1..b2db35b5990 100755 --- a/main/inc/lib/plugin.class.php +++ b/main/inc/lib/plugin.class.php @@ -322,10 +322,12 @@ public function get($name) $settings = $this->get_settings(); foreach ($settings as $setting) { if ($setting['variable'] == $this->get_name().'_'.$name) { + $unserialized = api_unserialize_content('not_allowed_classes', $setting['selected_value'], true); + if (!empty($setting['selected_value']) && - @unserialize($setting['selected_value']) !== false + false !== $unserialized ) { - $setting['selected_value'] = unserialize($setting['selected_value']); + $setting['selected_value'] = $unserialized; } return $setting['selected_value']; diff --git a/main/inc/lib/plugin.lib.php b/main/inc/lib/plugin.lib.php index 2f76eeb3b0b..aca6c501b82 100755 --- a/main/inc/lib/plugin.lib.php +++ b/main/inc/lib/plugin.lib.php @@ -437,8 +437,9 @@ public function getPluginInfo($plugin_name, $forced = false) $settings_filtered = []; foreach ($plugin_settings as $item) { if (!empty($item['selected_value'])) { - if (@unserialize($item['selected_value']) !== false) { - $item['selected_value'] = unserialize($item['selected_value']); + $unserialized = api_unserialize_content('not_allowed_classes', $item['selected_value'], true); + if (false !== $unserialized) { + $item['selected_value'] = $unserialized; } } $settings_filtered[$item['variable']] = $item['selected_value']; diff --git a/main/inc/lib/statistics.lib.php b/main/inc/lib/statistics.lib.php index cd18c16514d..7f0564f6a52 100644 --- a/main/inc/lib/statistics.lib.php +++ b/main/inc/lib/statistics.lib.php @@ -305,7 +305,7 @@ public static function getActivitiesData( } else { if (!empty($row[2])) { $originalData = str_replace('\\', '', $row[2]); - $row[2] = unserialize($originalData); + $row[2] = api_unserialize_content('not_allowed_classes', $originalData); if (is_array($row[2]) && !empty($row[2])) { $row[2] = implode_with_key(', ', $row[2]); } else { diff --git a/main/lp/aicc_api.php b/main/lp/aicc_api.php index a1cc3aa2999..4c09aadffaf 100755 --- a/main/lp/aicc_api.php +++ b/main/lp/aicc_api.php @@ -35,7 +35,8 @@ // Is this needed? This is probabaly done in the header file. $file = Session::read('file'); -$oLP = unserialize(Session::read('lpobject')); +/** @var learnpath $oLP */ +$oLP = api_unserialize_content('lp', Session::read('lpobject')); $oItem = $oLP->items[$oLP->current]; if (!is_object($oItem)) { error_log('New LP - scorm_api - Could not load oItem item', 0); diff --git a/main/lp/aicc_hacp.php b/main/lp/aicc_hacp.php index 210ba2b50ea..e2fef5e85ef 100755 --- a/main/lp/aicc_hacp.php +++ b/main/lp/aicc_hacp.php @@ -63,7 +63,11 @@ // Is this needed? This is probabaly done in the header file. $file = Session::read('file'); -$oLP = unserialize(Session::read('lpobject')); +/** @var learnpath $oLP */ +$oLP = api_unserialize_content( + 'not_allowed_classes', + Session::read('lpobject') +); $oItem = &$oLP->items[$oLP->current]; if (!is_object($oItem)) { error_log('New LP - aicc_hacp - Could not load oItem item', 0); diff --git a/main/lp/learnpath.class.php b/main/lp/learnpath.class.php index cfcb3e35627..c247229152a 100755 --- a/main/lp/learnpath.class.php +++ b/main/lp/learnpath.class.php @@ -12690,7 +12690,7 @@ public static function getLpFromSession($courseCode, $lpId, $user_id) $learnPath = null; $lpObject = Session::read('lpobject'); if ($lpObject !== null) { - $learnPath = unserialize($lpObject); + $learnPath = api_unserialize_content('lp', $lpObject); if ($debug) { error_log('getLpFromSession: unserialize'); error_log('------getLpFromSession------'); diff --git a/main/lp/lp_controller.php b/main/lp/lp_controller.php index 8f106f1a1ab..999aa591998 100755 --- a/main/lp/lp_controller.php +++ b/main/lp/lp_controller.php @@ -214,7 +214,8 @@ function(reponse) { if ($debug) { error_log(' SESSION[lpobject] is defined'); } - $oLP = unserialize($lpObject); + /** @var learnpath $oLP */ + $oLP = api_unserialize_content('lp', $lpObject); if (isset($oLP) && is_object($oLP)) { if ($debug) { error_log(' oLP is object'); diff --git a/main/lp/scorm_api.php b/main/lp/scorm_api.php index 2efd25c9889..edc38b5fdf1 100755 --- a/main/lp/scorm_api.php +++ b/main/lp/scorm_api.php @@ -31,7 +31,19 @@ $file = Session::read('file'); /** @var learnpath $oLP */ -$oLP = unserialize(Session::read('lpobject')); +$oLP = Unserialize::unserialize( + Session::read('lpobject'), + [ + 'allowed_classes' => [ + learnpath::class, + learnpathItem::class, + aiccItem::class, + scormItem::class, + Link::class, + LpItem::class, + ], + ] +); /** @var learnpathItem $oItem */ $oItem = isset($oLP->items[$oLP->current]) ? $oLP->items[$oLP->current] : null; diff --git a/main/mySpace/my_career.php b/main/mySpace/my_career.php index 2f2002dba88..6aea78cac16 100644 --- a/main/mySpace/my_career.php +++ b/main/mySpace/my_career.php @@ -1,6 +1,8 @@ privacy); + return api_unserialize_content('not_allowed_classes', $this->privacy); } /** diff --git a/src/Chamilo/CoreBundle/Entity/Sequence.php b/src/Chamilo/CoreBundle/Entity/Sequence.php index 1bafea011ca..c576b8dbef8 100644 --- a/src/Chamilo/CoreBundle/Entity/Sequence.php +++ b/src/Chamilo/CoreBundle/Entity/Sequence.php @@ -135,7 +135,7 @@ public function hasGraph() */ public function getUnSerializeGraph() { - return unserialize($this->graph); + return api_unserialize_content('sequence_graph', $this->graph); } /** diff --git a/src/Chamilo/CourseBundle/Component/CourseCopy/Course.php b/src/Chamilo/CourseBundle/Component/CourseCopy/Course.php index 6fafbbaaf63..7fee7505f08 100644 --- a/src/Chamilo/CourseBundle/Component/CourseCopy/Course.php +++ b/src/Chamilo/CourseBundle/Component/CourseCopy/Course.php @@ -379,7 +379,10 @@ public static function unserialize($course) if (extension_loaded('igbinary')) { $unserialized = igbinary_unserialize($course); } else { - $unserialized = unserialize($course); + $unserialized = api_unserialize_content( + 'course', + $course + ); } return $unserialized; diff --git a/src/Chamilo/CourseBundle/Component/CourseCopy/CourseArchiver.php b/src/Chamilo/CourseBundle/Component/CourseCopy/CourseArchiver.php index 4dd41052d36..c4230262f6c 100644 --- a/src/Chamilo/CourseBundle/Component/CourseCopy/CourseArchiver.php +++ b/src/Chamilo/CourseBundle/Component/CourseCopy/CourseArchiver.php @@ -343,7 +343,8 @@ class_alias('Chamilo\CourseBundle\Component\CourseCopy\Resources\ToolIntro', 'To class_alias('Chamilo\CourseBundle\Component\CourseCopy\Resources\Wiki', 'Wiki'); class_alias('Chamilo\CourseBundle\Component\CourseCopy\Resources\Work', 'Work'); - $course = unserialize(base64_decode($contents)); + /** @var Course $course */ + $course = api_unserialize_content('course', base64_decode($contents)); if (!in_array( get_class($course), diff --git a/src/Chamilo/PageBundle/Entity/User.php b/src/Chamilo/PageBundle/Entity/User.php index 19fff37c2bf..4fefdd334f6 100644 --- a/src/Chamilo/PageBundle/Entity/User.php +++ b/src/Chamilo/PageBundle/Entity/User.php @@ -2282,7 +2282,7 @@ public function serialize() */ public function unserialize($serialized) { - $data = unserialize($serialized); + $data = api_unserialize_content('not_allowed_classes', $serialized); // add a few extra elements in the array to ensure that we have enough keys when unserializing // older data which does not include all properties. $data = array_merge($data, array_fill(0, 2, null));