Skip to:
Content

BuddyPress.org

Changeset 11692


Ignore:
Timestamp:
09/09/2017 12:43:21 AM (2 years ago)
Author:
johnjamesjacoby
Message:

General: ensure values are un/serialized as intended.

This change provides additional hardening around how some serialized data is manipulated while it's being passed around the application. (Some values were inconsistently or needlessly handled.)

Trunk, for 3.0.

Location:
trunk/src
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-activity/classes/class-bp-activity-activity.php

    r11580 r11692  
    18331833        $favorite_activity_entries = bp_get_user_meta( $user_id, 'bp_favorite_activities', true );
    18341834        if ( ! empty( $favorite_activity_entries ) ) {
    1835             return count( maybe_unserialize( $favorite_activity_entries ) );
     1835            return count( $favorite_activity_entries );
    18361836        }
    18371837
  • trunk/src/bp-activity/classes/class-bp-activity-template.php

    r11363 r11692  
    196196
    197197        // Get an array of the logged in user's favorite activities.
    198         $this->my_favs = maybe_unserialize( bp_get_user_meta( bp_loggedin_user_id(), 'bp_favorite_activities', true ) );
     198        $this->my_favs = bp_get_user_meta( bp_loggedin_user_id(), 'bp_favorite_activities', true );
    199199
    200200        // Fetch specific activity items based on ID's.
  • trunk/src/bp-xprofile/bp-xprofile-filters.php

    r11447 r11692  
    169169    }
    170170
    171     // Value might be serialized.
     171    // Force reserialization if serialized (avoids mutation, retains integrity)
     172    if ( is_serialized( $field_value ) && ( false === $reserialize ) ) {
     173        $reserialize = true;
     174    }
     175
     176    // Value might be a serialized array of options.
    172177    $field_value = maybe_unserialize( $field_value );
    173178
    174     // Filter single value.
    175     if ( !is_array( $field_value ) ) {
     179    // Sanitize single field value.
     180    if ( ! is_array( $field_value ) ) {
    176181        $kses_field_value     = xprofile_filter_kses( $field_value, $data_obj );
    177182        $filtered_field_value = wp_rel_nofollow( force_balance_tags( $kses_field_value ) );
     
    188193        $filtered_field_value = apply_filters( 'xprofile_filtered_data_value_before_save', $filtered_field_value, $field_value, $data_obj );
    189194
    190     // Filter each array item independently.
     195    // Sanitize multiple individual option values.
    191196    } else {
    192197        $filtered_values = array();
    193198        foreach ( (array) $field_value as $value ) {
    194             $kses_field_value       = xprofile_filter_kses( $value, $data_obj );
    195             $filtered_value     = wp_rel_nofollow( force_balance_tags( $kses_field_value ) );
     199            $kses_field_value = xprofile_filter_kses( $value, $data_obj );
     200            $filtered_value   = wp_rel_nofollow( force_balance_tags( $kses_field_value ) );
    196201
    197202            /** This filter is documented in bp-xprofile/bp-xprofile-filters.php */
    198203            $filtered_values[] = apply_filters( 'xprofile_filtered_data_value_before_save', $filtered_value, $value, $data_obj );
    199 
    200204        }
    201205
  • trunk/src/bp-xprofile/bp-xprofile-functions.php

    r11447 r11692  
    465465    $field->field_id = $field_id;
    466466    $field->user_id  = $user_id;
     467
     468    // Gets un/reserialized via xprofile_sanitize_data_value_before_save()
    467469    $field->value    = maybe_serialize( $value );
    468470
  • trunk/src/bp-xprofile/bp-xprofile-template.php

    r11616 r11692  
    589589        global $field;
    590590
    591         /**
    592          * Check to see if the posted value is different, if it is re-display this
    593          * value as long as it's not empty and a required field.
    594          */
     591        // Make sure field data object exists
    595592        if ( ! isset( $field->data ) ) {
    596593            $field->data = new stdClass;
    597594        }
    598595
     596        // Default to empty value
    599597        if ( ! isset( $field->data->value ) ) {
    600598            $field->data->value = '';
    601599        }
    602600
    603         if ( isset( $_POST['field_' . $field->id] ) && $field->data->value != $_POST['field_' . $field->id] ) {
    604             if ( ! empty( $_POST['field_' . $field->id] ) ) {
    605                 $field->data->value = $_POST['field_' . $field->id];
    606             } else {
    607                 $field->data->value = '';
    608             }
    609         }
    610 
    611         $field_value = isset( $field->data->value ) ? bp_unserialize_profile_field( $field->data->value ) : '';
     601        // Was a new value posted? If so, use it instead.
     602        if ( isset( $_POST['field_' . $field->id] ) ) {
     603
     604            // This is sanitized via the filter below (based on the field type)
     605            $field->data->value = $_POST['field_' . $field->id];
     606        }
    612607
    613608        /**
     
    620615         * @param int    $id          ID for the profile field.
    621616         */
    622         return apply_filters( 'bp_get_the_profile_field_edit_value', $field_value, $field->type, $field->id );
     617        return apply_filters( 'bp_get_the_profile_field_edit_value', $field->data->value, $field->type, $field->id );
    623618    }
    624619
     
    905900
    906901/**
    907  * Return unserialized profile field data.
     902 * Return unserialized profile field data, and combine any array items into a
     903 * comma-separated string.
    908904 *
    909905 * @since 1.0.0
     
    914910function bp_unserialize_profile_field( $value ) {
    915911    if ( is_serialized($value) ) {
    916         $field_value = maybe_unserialize($value);
     912        $field_value = @unserialize($value);
    917913        $field_value = implode( ', ', $field_value );
    918914        return $field_value;
Note: See TracChangeset for help on using the changeset viewer.