Changeset 11692

Timestamp:

09/09/2017 12:43:21 AM (4 years ago)

Author:

johnjamesjacoby

Message:

General: ensure values are un/serialized as intended.

This change provides additional hardening around how some serialized data is manipulated while it's being passed around the application. (Some values were inconsistently or needlessly handled.)

Trunk, for 3.0.

Location:

trunk/src

Files:

• bp-activity/classes/class-bp-activity-activity.php (modified) (1 diff)
• bp-activity/classes/class-bp-activity-template.php (modified) (1 diff)
• bp-xprofile/bp-xprofile-filters.php (modified) (2 diffs)
• bp-xprofile/bp-xprofile-functions.php (modified) (1 diff)
• bp-xprofile/bp-xprofile-template.php (modified) (4 diffs)

trunk/src/bp-activity/classes/class-bp-activity-activity.php

@@ -1833 +1833 @@
         $favorite_activity_entries = bp_get_user_meta( $user_id, 'bp_favorite_activities', true );
         if ( ! empty( $favorite_activity_entries ) ) {
-            return count( maybe_unserialize( $favorite_activity_entries ) );
+            return count( $favorite_activity_entries );
         }
 

trunk/src/bp-activity/classes/class-bp-activity-template.php

@@ -196 +196 @@
 
         // Get an array of the logged in user's favorite activities.
-        $this->my_favs = maybe_unserialize( bp_get_user_meta( bp_loggedin_user_id(), 'bp_favorite_activities', true ) );
+        $this->my_favs = bp_get_user_meta( bp_loggedin_user_id(), 'bp_favorite_activities', true );
 
         // Fetch specific activity items based on ID's.

trunk/src/bp-xprofile/bp-xprofile-filters.php

@@ -169 +169 @@
     }
 
-    // Value might be serialized.
+    // Force reserialization if serialized (avoids mutation, retains integrity)
+    if ( is_serialized( $field_value ) && ( false === $reserialize ) ) {
+        $reserialize = true;
+    }
+
+    // Value might be a serialized array of options.
     $field_value = maybe_unserialize( $field_value );
 
-    // Filter single value.
-    if ( !is_array( $field_value ) ) {
+    // Sanitize single field value.
+    if ( ! is_array( $field_value ) ) {
         $kses_field_value     = xprofile_filter_kses( $field_value, $data_obj );
         $filtered_field_value = wp_rel_nofollow( force_balance_tags( $kses_field_value ) );
@@ -188 +193 @@
         $filtered_field_value = apply_filters( 'xprofile_filtered_data_value_before_save', $filtered_field_value, $field_value, $data_obj );
 
-    // Filter each array item independently.
+    // Sanitize multiple individual option values.
     } else {
         $filtered_values = array();
         foreach ( (array) $field_value as $value ) {
-            $kses_field_value       = xprofile_filter_kses( $value, $data_obj );
-            $filtered_value     = wp_rel_nofollow( force_balance_tags( $kses_field_value ) );
+            $kses_field_value = xprofile_filter_kses( $value, $data_obj );
+            $filtered_value   = wp_rel_nofollow( force_balance_tags( $kses_field_value ) );
 
             /** This filter is documented in bp-xprofile/bp-xprofile-filters.php */
             $filtered_values[] = apply_filters( 'xprofile_filtered_data_value_before_save', $filtered_value, $value, $data_obj );
-
         }
 

trunk/src/bp-xprofile/bp-xprofile-functions.php

@@ -465 +465 @@
     $field->field_id = $field_id;
     $field->user_id  = $user_id;
+
+    // Gets un/reserialized via xprofile_sanitize_data_value_before_save()
     $field->value    = maybe_serialize( $value );
 

trunk/src/bp-xprofile/bp-xprofile-template.php

@@ -589 +589 @@
         global $field;
 
-        /**
-         * Check to see if the posted value is different, if it is re-display this
-         * value as long as it's not empty and a required field.
-         */
+        // Make sure field data object exists
         if ( ! isset( $field->data ) ) {
             $field->data = new stdClass;
         }
 
+        // Default to empty value
         if ( ! isset( $field->data->value ) ) {
             $field->data->value = '';
         }
 
-        if ( isset( $_POST['field_' . $field->id] ) && $field->data->value != $_POST['field_' . $field->id] ) {
-            if ( ! empty( $_POST['field_' . $field->id] ) ) {
-                $field->data->value = $_POST['field_' . $field->id];
-            } else {
-                $field->data->value = '';
-            }
-        }
-
-        $field_value = isset( $field->data->value ) ? bp_unserialize_profile_field( $field->data->value ) : '';
+        // Was a new value posted? If so, use it instead.
+        if ( isset( $_POST['field_' . $field->id] ) ) {
+
+            // This is sanitized via the filter below (based on the field type)
+            $field->data->value = $_POST['field_' . $field->id];
+        }
 
         /**
@@ -620 +615 @@
          * @param int    $id          ID for the profile field.
          */
-        return apply_filters( 'bp_get_the_profile_field_edit_value', $field_value, $field->type, $field->id );
+        return apply_filters( 'bp_get_the_profile_field_edit_value', $field->data->value, $field->type, $field->id );
     }
 
@@ -905 +900 @@
 
 /**
- * Return unserialized profile field data.
+ * Return unserialized profile field data, and combine any array items into a
+ * comma-separated string.
  *
  * @since 1.0.0
@@ -914 +910 @@
 function bp_unserialize_profile_field( $value ) {
     if ( is_serialized($value) ) {
-        $field_value = maybe_unserialize($value);
+        $field_value = @unserialize($value);
         $field_value = implode( ', ', $field_value );
         return $field_value;