MDL-70823 blocks: safer unserializing during block restore.

2025-08-06 01:16:44 +02:00 · 2021-02-08 08:49:51 +00:00 · 2021-02-08 08:49:51 +00:00 · 294fa223c9
commit 294fa223c9
parent f8fed9810a
14 changed files with 25 additions and 20 deletions
--- a/backup/moodle2/restore_block_task.class.php
+++ b/backup/moodle2/restore_block_task.class.php
@ -162,6 +162,16 @@ abstract class restore_block_task extends restore_task {
     */
    abstract public function get_configdata_encoded_attributes();

+    /**
+     * Helper method to safely unserialize block configuration during restore
+     *
+     * @param string $configdata The original base64 encoded block config, as retrieved from the block_instances table
+     * @return stdClass
+     */
+    protected function decode_configdata(string $configdata): stdClass {
+        return unserialize_object(base64_decode($configdata));
+    }
+
    /**
     * Define the contents in the activity that must be
     * processed by the link decoder
--- a/backup/moodle2/restore_stepslib.php
+++ b/backup/moodle2/restore_stepslib.php
@ -4305,7 +4305,7 @@ class restore_block_instance_structure_step extends restore_structure_step {
        // Let's look for anything within configdata neededing processing
        // (nulls and uses of legacy file.php)
        if ($attrstotransform = $this->task->get_configdata_encoded_attributes()) {
-            $configdata = (array)unserialize(base64_decode($data->configdata));
+            $configdata = (array) unserialize_object(base64_decode($data->configdata));
            foreach ($configdata as $attribute => $value) {
                if (in_array($attribute, $attrstotransform)) {
                    $configdata[$attribute] = $this->contentprocessor->process_cdata($value);