Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1900 closed New feature (fixed)

upgradephp: add contributed safe_serialize()/safe_unserialize() functions

Reported by: vipsoft Owned by:
Priority: low Milestone: Piwik 1.1
Component: Core Keywords:
Cc: Sensitive: no

Description

Written in PHP, these compatibility functions differ from the built-ins in one respect: they don't serialize/unserialize objects.

We currently sign and apply a blacklist on cookies, so this doesn't add any security value there.

But PhpSecInfo has a test that unserializes content from php.net.

Change History (3)

comment:1 Changed 3 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [3460]) fixes #1900 - use safe_unserialize() for third-party content; for signed cookies, replace serialize/unserialize with more compact, json_encode()/json_decode()

comment:2 Changed 3 years ago by matt (mattab)

(In [3507]) Fixing broken tracking, json_decode returning objects but code is using the data as array Refs #1900

Note: See TracTickets for help on using tickets.