IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-02-25 18:45:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Avoid using serialised preferences for security purposes. This might break existing preferences.

Browse Source
This commit is contained in:
James Cole 2018-04-01 19:22:30 +02:00
parent 66019fdbbf
commit 40d94e7a62
No known key found for this signature in database
GPG Key ID: C16961E655E74B5E
2 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
app/Models/Preference.php
View File

@ -59,6 +59,7 @@ class Preference extends Model
*/ */
public function getDataAttribute($value) public function getDataAttribute($value)
{ {
$result = null;
try { try {
$data = Crypt::decrypt($value); $data = Crypt::decrypt($value);
} catch (DecryptException $e) { } catch (DecryptException $e) {
@ -67,17 +68,17 @@ class Preference extends Model
sprintf('Could not decrypt preference #%d. If this error persists, please run "php artisan cache:clear" on the command line.', $this->id) sprintf('Could not decrypt preference #%d. If this error persists, please run "php artisan cache:clear" on the command line.', $this->id)
); );
} }
$unserialized = false; $serialized = true;
try { try {
$unserialized = unserialize($data); unserialize($data);
} catch (Exception $e) { } catch (Exception $e) {
// don't care, assume is false. $serialized = false;
} }
if (!(false === $unserialized)) { if (!$serialized) {
return $unserialized; $result = json_decode($data, true);
} }
return json_decode($data, true); return $result;
} }
/** /**
@ -89,7 +90,7 @@ class Preference extends Model
*/ */
public function setDataAttribute($value) public function setDataAttribute($value)
{ {
$this->attributes['data'] = Crypt::encrypt(serialize($value)); $this->attributes['data'] = Crypt::encrypt(json_encode($value));
} }
/** /**

11
app/Support/Preferences.php
View File

@ -27,6 +27,7 @@ use Exception;
use FireflyIII\Models\Preference; use FireflyIII\Models\Preference;
use FireflyIII\User; use FireflyIII\User;
use Illuminate\Support\Collection; use Illuminate\Support\Collection;
use Log;
use Session; use Session;
/** /**
@ -134,6 +135,14 @@ class Preferences
} }
$preference = Preference::where('user_id', $user->id)->where('name', $name)->first(['id', 'name', 'data']); $preference = Preference::where('user_id', $user->id)->where('name', $name)->first(['id', 'name', 'data']);
if (null !== $preference && null === $preference->data) {
try {
$preference->delete();
} catch (Exception $e) {
Log::debug(sprintf('Could not delete preference #%d', $preference->id));
}
$preference = false;
}
if ($preference) { if ($preference) {
Cache::forever($fullName, $preference); Cache::forever($fullName, $preference);
@ -156,7 +165,7 @@ class Preferences
{ {
$lastActivity = microtime(); $lastActivity = microtime();
$preference = $this->get('lastActivity', microtime()); $preference = $this->get('lastActivity', microtime());
if (null !== $preference) { if (null !== $preference && null !== $preference->data) {
$lastActivity = $preference->data; $lastActivity = $preference->data;
} }
if (is_array($lastActivity)) { if (is_array($lastActivity)) {