Avoid using serialised preferences for security purposes. This might break existing preferences.

2025-09-23 22:35:03 +00:00 · 2018-04-01 19:22:30 +02:00
parent 66019fdbbf
commit 40d94e7a62
2 changed files with 18 additions and 8 deletions
--- a/app/Models/Preference.php
+++ b/app/Models/Preference.php
@@ -59,6 +59,7 @@ class Preference extends Model
     */
    public function getDataAttribute($value)
    {
+        $result = null;
        try {
            $data = Crypt::decrypt($value);
        } catch (DecryptException $e) {
@@ -67,17 +68,17 @@ class Preference extends Model
                sprintf('Could not decrypt preference #%d. If this error persists, please run "php artisan cache:clear" on the command line.', $this->id)
            );
        }
-        $unserialized = false;
+        $serialized = true;
        try {
-            $unserialized = unserialize($data);
+            unserialize($data);
        } catch (Exception $e) {
-            // don't care, assume is false.
+            $serialized = false;
        }
-        if (!(false === $unserialized)) {
-            return $unserialized;
+        if (!$serialized) {
+            $result = json_decode($data, true);
        }

-        return json_decode($data, true);
+        return $result;
    }

    /**
@@ -89,7 +90,7 @@ class Preference extends Model
     */
    public function setDataAttribute($value)
    {
-        $this->attributes['data'] = Crypt::encrypt(serialize($value));
+        $this->attributes['data'] = Crypt::encrypt(json_encode($value));
    }

    /**