Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Remove the usage of unserialize() for the user's feedbacks

Download Browse

Use unserialize() require to be careful or it could lead to object injection. When not absolutely needed, it's usage should be prohibited. This contribution is part of request #10118: remote code execution through object unserialization of a user's recent elements Change-Id: I0d4e82a813bc58052c4dea3a9f9b61ab0d1110f7

+61 −3
Thomas Gerbet (tgerbet) 2017-04-05 15:00
Thomas Gerbet (tgerbet) 2017-04-05 15:04
9f7e4072b638f434e8f8c17802604fbac7dc117b
c97511aa64242101088a3d0fdf689c09f1dd5138
git #tuleap/stable/9f7e4072b638f434e8f8c17802604fbac7dc117b

Modified Files

Side by side diff
Inline diff
Name
M src/common/include/Feedback.class.php +8 −0 Go to diff View file
M src/common/include/Response.class.php +7 −3 Go to diff View file
A src/db/mysql/updates/2017/201704051330_remove_binary_serialized_feedback.php +46 −0 Go to diff View file