From 40d94e7a624a209f6142eb93e9d5403b586bfe04 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sun, 1 Apr 2018 19:22:30 +0200
Subject: [PATCH] Avoid using serialised preferences for security purposes.
 This might break existing preferences.

---
 app/Models/Preference.php   | 15 ++++++++-------
 app/Support/Preferences.php | 11 ++++++++++-
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/app/Models/Preference.php b/app/Models/Preference.php
index 757e25ae42..23233b9bc4 100644
--- a/app/Models/Preference.php
+++ b/app/Models/Preference.php
@@ -59,6 +59,7 @@ class Preference extends Model
      */
     public function getDataAttribute($value)
     {
+        $result = null;
         try {
             $data = Crypt::decrypt($value);
         } catch (DecryptException $e) {
@@ -67,17 +68,17 @@ class Preference extends Model
                 sprintf('Could not decrypt preference #%d. If this error persists, please run "php artisan cache:clear" on the command line.', $this->id)
             );
         }
-        $unserialized = false;
+        $serialized = true;
         try {
-            $unserialized = unserialize($data);
+            unserialize($data);
         } catch (Exception $e) {
-            // don't care, assume is false.
+            $serialized = false;
         }
-        if (!(false === $unserialized)) {
-            return $unserialized;
+        if (!$serialized) {
+            $result = json_decode($data, true);
         }
 
-        return json_decode($data, true);
+        return $result;
     }
 
     /**
@@ -89,7 +90,7 @@ class Preference extends Model
      */
     public function setDataAttribute($value)
     {
-        $this->attributes['data'] = Crypt::encrypt(serialize($value));
+        $this->attributes['data'] = Crypt::encrypt(json_encode($value));
     }
 
     /**
diff --git a/app/Support/Preferences.php b/app/Support/Preferences.php
index 1f7048c922..30f0567ba5 100644
--- a/app/Support/Preferences.php
+++ b/app/Support/Preferences.php
@@ -27,6 +27,7 @@ use Exception;
 use FireflyIII\Models\Preference;
 use FireflyIII\User;
 use Illuminate\Support\Collection;
+use Log;
 use Session;
 
 /**
@@ -134,6 +135,14 @@ class Preferences
         }
 
         $preference = Preference::where('user_id', $user->id)->where('name', $name)->first(['id', 'name', 'data']);
+        if (null !== $preference && null === $preference->data) {
+            try {
+                $preference->delete();
+            } catch (Exception $e) {
+                Log::debug(sprintf('Could not delete preference #%d', $preference->id));
+            }
+            $preference = false;
+        }
 
         if ($preference) {
             Cache::forever($fullName, $preference);
@@ -156,7 +165,7 @@ class Preferences
     {
         $lastActivity = microtime();
         $preference   = $this->get('lastActivity', microtime());
-        if (null !== $preference) {
+        if (null !== $preference && null !== $preference->data) {
             $lastActivity = $preference->data;
         }
         if (is_array($lastActivity)) {