Avoid using serialised preferences for security purposes. This might break existing preferences.

2025-02-25 18:45:27 -06:00 · 2018-04-01 19:22:30 +02:00 · 2018-04-01 19:22:30 +02:00 · 40d94e7a62
commit 40d94e7a62
parent 66019fdbbf
2 changed files with 18 additions and 8 deletions
--- a/app/Models/Preference.php
+++ b/app/Models/Preference.php
@ -59,6 +59,7 @@ class Preference extends Model
     */
    public function getDataAttribute($value)
    {
+        $result = null;
        try {
            $data = Crypt::decrypt($value);
        } catch (DecryptException $e) {
@ -67,17 +68,17 @@ class Preference extends Model
                sprintf('Could not decrypt preference #%d. If this error persists, please run "php artisan cache:clear" on the command line.', $this->id)
            );
        }
-        $unserialized = false;
+        $serialized = true;
        try {
-            $unserialized = unserialize($data);
+            unserialize($data);
        } catch (Exception $e) {
-            // don't care, assume is false.
+            $serialized = false;
        }
-        if (!(false === $unserialized)) {
-            return $unserialized;
+        if (!$serialized) {
+            $result = json_decode($data, true);
        }

-        return json_decode($data, true);
+        return $result;
    }

    /**
@ -89,7 +90,7 @@ class Preference extends Model
     */
    public function setDataAttribute($value)
    {
-        $this->attributes['data'] = Crypt::encrypt(serialize($value));
+        $this->attributes['data'] = Crypt::encrypt(json_encode($value));
    }

    /**
--- a/app/Support/Preferences.php
+++ b/app/Support/Preferences.php
@ -27,6 +27,7 @@ use Exception;
 use FireflyIII\Models\Preference;
 use FireflyIII\User;
 use Illuminate\Support\Collection;
+use Log;
 use Session;

 /**
@ -134,6 +135,14 @@ class Preferences
        }

        $preference = Preference::where('user_id', $user->id)->where('name', $name)->first(['id', 'name', 'data']);
+        if (null !== $preference && null === $preference->data) {
+            try {
+                $preference->delete();
+            } catch (Exception $e) {
+                Log::debug(sprintf('Could not delete preference #%d', $preference->id));
+            }
+            $preference = false;
+        }

        if ($preference) {
            Cache::forever($fullName, $preference);
@ -156,7 +165,7 @@ class Preferences
    {
        $lastActivity = microtime();
        $preference   = $this->get('lastActivity', microtime());
-        if (null !== $preference) {
+        if (null !== $preference && null !== $preference->data) {
            $lastActivity = $preference->data;
        }
        if (is_array($lastActivity)) {