moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 08:26:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-70823 blocks: safer unserializing during block restore.

Browse source
This commit is contained in:
Paul Holden 2021-02-08 08:49:51 +00:00 committed by Sara Arjona
parent ad524085cd
commit c4010ec81f
14 changed files with 25 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

10
backup/moodle2/restore_block_task.class.php
View file

@ -162,6 +162,16 @@ abstract class restore_block_task extends restore_task {
*/ */
abstract public function get_configdata_encoded_attributes(); abstract public function get_configdata_encoded_attributes();
/**
* Helper method to safely unserialize block configuration during restore
*
* @param string $configdata The original base64 encoded block config, as retrieved from the block_instances table
* @return stdClass
*/
protected function decode_configdata(string $configdata): stdClass {
return unserialize_object(base64_decode($configdata));
}
/** /**
* Define the contents in the activity that must be * Define the contents in the activity that must be
* processed by the link decoder * processed by the link decoder

2
backup/moodle2/restore_stepslib.php
View file

@ -4196,7 +4196,7 @@ class restore_block_instance_structure_step extends restore_structure_step {
// Let's look for anything within configdata neededing processing // Let's look for anything within configdata neededing processing
// (nulls and uses of legacy file.php) // (nulls and uses of legacy file.php)
if ($attrstotransform = $this->task->get_configdata_encoded_attributes()) { if ($attrstotransform = $this->task->get_configdata_encoded_attributes()) {
$configdata = (array)unserialize(base64_decode($data->configdata)); $configdata = (array) unserialize_object(base64_decode($data->configdata));
foreach ($configdata as $attribute => $value) { foreach ($configdata as $attribute => $value) {
if (in_array($attribute, $attrstotransform)) { if (in_array($attribute, $attrstotransform)) {
$configdata[$attribute] = $this->contentprocessor->process_cdata($value); $configdata[$attribute] = $this->contentprocessor->process_cdata($value);

2
blocks/activity_results/backup/moodle2/restore_activity_results_block_task.class.php
View file

@ -73,7 +73,7 @@ class restore_activity_results_block_task extends restore_block_task {
$blockid = $this->get_blockid(); $blockid = $this->get_blockid();
if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) { if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) {
$config = unserialize(base64_decode($configdata)); $config = $this->decode_configdata($configdata);
if (!empty($config->activityparentid)) { if (!empty($config->activityparentid)) {
// Get the mapping and replace it in config. // Get the mapping and replace it in config.
if ($mapping = restore_dbops::get_backup_ids_record($this->get_restoreid(), if ($mapping = restore_dbops::get_backup_ids_record($this->get_restoreid(),

2
blocks/glossary_random/backup/moodle2/restore_glossary_random_block_task.class.php
View file

@ -58,7 +58,7 @@ class restore_glossary_random_block_task extends restore_block_task {
// Extract block configdata and update it to point to the new glossary // Extract block configdata and update it to point to the new glossary
if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) { if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) {
$config = unserialize(base64_decode($configdata)); $config = $this->decode_configdata($configdata);
if (!empty($config->glossary)) { if (!empty($config->glossary)) {
if ($glossarymap = restore_dbops::get_backup_ids_record($this->get_restoreid(), 'glossary', $config->glossary)) { if ($glossarymap = restore_dbops::get_backup_ids_record($this->get_restoreid(), 'glossary', $config->glossary)) {
// Get glossary mapping and replace it in config // Get glossary mapping and replace it in config

2
blocks/html/backup/moodle2/restore_html_block_task.class.php
View file

@ -82,7 +82,7 @@ class restore_html_block_decode_content extends restore_decode_content {
} }
protected function preprocess_field($field) { protected function preprocess_field($field) {
$this->configdata = unserialize(base64_decode($field)); $this->configdata = unserialize_object(base64_decode($field));
return isset($this->configdata->text) ? $this->configdata->text : ''; return isset($this->configdata->text) ? $this->configdata->text : '';
} }

2
blocks/html/classes/search/content.php
View file

@ -43,7 +43,7 @@ class content extends \core_search\base_block {
$this->componentname, $this->areaname); $this->componentname, $this->areaname);
// Get stdclass object with data from DB. // Get stdclass object with data from DB.
$data = unserialize(base64_decode($record->configdata)); $data = unserialize_object(base64_decode($record->configdata));
// Get content. // Get content.
$content = content_to_text($data->text, $data->format); $content = content_to_text($data->text, $data->format);

4
blocks/html/edit_form.php
View file

@ -51,7 +51,7 @@ class block_html_edit_form extends block_edit_form {
} }
function set_data($defaults) { function set_data($defaults) {
if (!empty($this->block->config) && is_object($this->block->config)) { if (!empty($this->block->config) && !empty($this->block->config->text)) {
$text = $this->block->config->text; $text = $this->block->config->text;
$draftid_editor = file_get_submitted_draft_itemid('config_text'); $draftid_editor = file_get_submitted_draft_itemid('config_text');
if (empty($text)) { if (empty($text)) {
@ -61,7 +61,7 @@ class block_html_edit_form extends block_edit_form {
} }
$defaults->config_text['text'] = file_prepare_draft_area($draftid_editor, $this->block->context->id, 'block_html', 'content', 0, array('subdirs'=>true), $currenttext); $defaults->config_text['text'] = file_prepare_draft_area($draftid_editor, $this->block->context->id, 'block_html', 'content', 0, array('subdirs'=>true), $currenttext);
$defaults->config_text['itemid'] = $draftid_editor; $defaults->config_text['itemid'] = $draftid_editor;
$defaults->config_text['format'] = $this->block->config->format; $defaults->config_text['format'] = $this->block->config->format ?? FORMAT_MOODLE;
} else { } else {
$text = ''; $text = '';
} }

2
blocks/html/lib.php
View file

@ -100,7 +100,7 @@ function block_html_global_db_replace($search, $replace) {
$instances = $DB->get_recordset('block_instances', array('blockname' => 'html')); $instances = $DB->get_recordset('block_instances', array('blockname' => 'html'));
foreach ($instances as $instance) { foreach ($instances as $instance) {
// TODO: intentionally hardcoded until MDL-26800 is fixed // TODO: intentionally hardcoded until MDL-26800 is fixed
$config = unserialize(base64_decode($instance->configdata)); $config = unserialize_object(base64_decode($instance->configdata));
if (isset($config->text) and is_string($config->text)) { if (isset($config->text) and is_string($config->text)) {
$config->text = str_replace($search, $replace, $config->text); $config->text = str_replace($search, $replace, $config->text);
$DB->update_record('block_instances', ['id' => $instance->id, $DB->update_record('block_instances', ['id' => $instance->id,

2
blocks/moodleblock.class.php
View file

@ -470,7 +470,7 @@ class block_base {
*/ */
function _load_instance($instance, $page) { function _load_instance($instance, $page) {
if (!empty($instance->configdata)) { if (!empty($instance->configdata)) {
$this->config = unserialize(base64_decode($instance->configdata)); $this->config = unserialize_object(base64_decode($instance->configdata));
} }
$this->instance = $instance; $this->instance = $instance;
$this->context = context_block::instance($instance->id); $this->context = context_block::instance($instance->id);

3
blocks/quiz_results/backup/moodle2/restore_quiz_results_block_task.class.php
View file

@ -66,8 +66,7 @@ class restore_quiz_results_block_task extends restore_block_task {
// The block was configured. // The block was configured.
if (!empty($configdata)) { if (!empty($configdata)) {
$config = $this->decode_configdata($configdata);
$config = unserialize(base64_decode($configdata));
$config->activityparent = 'quiz'; $config->activityparent = 'quiz';
$config->activityparentid = 0; $config->activityparentid = 0;
$config->gradeformat = isset($config->gradeformat) ? $config->gradeformat : 1; $config->gradeformat = isset($config->gradeformat) ? $config->gradeformat : 1;

2
blocks/rss_client/backup/moodle2/backup_rss_client_stepslib.php
View file

@ -36,7 +36,7 @@ class backup_rss_client_block_structure_step extends backup_block_structure_step
// Get the block // Get the block
$block = $DB->get_record('block_instances', array('id' => $this->task->get_blockid())); $block = $DB->get_record('block_instances', array('id' => $this->task->get_blockid()));
// Extract configdata // Extract configdata
$config = unserialize(base64_decode($block->configdata)); $config = unserialize_object(base64_decode($block->configdata));
// Get array of used rss feeds // Get array of used rss feeds
if (!empty($config->rssid)) { if (!empty($config->rssid)) {
$feedids = $config->rssid; $feedids = $config->rssid;

5
blocks/rss_client/backup/moodle2/restore_rss_client_stepslib.php
View file

@ -76,10 +76,7 @@ class restore_rss_client_block_structure_step extends restore_structure_step {
// Get the configdata // Get the configdata
$configdata = $DB->get_field('block_instances', 'configdata', array('id' => $this->task->get_blockid())); $configdata = $DB->get_field('block_instances', 'configdata', array('id' => $this->task->get_blockid()));
// Extract configdata // Extract configdata
$config = unserialize(base64_decode($configdata)); $config = unserialize_object(base64_decode($configdata));
if (empty($config)) {
$config = new stdClass();
}
// Set array of used rss feeds // Set array of used rss feeds
$config->rssid = $feedsarr; $config->rssid = $feedsarr;
// Serialize back the configdata // Serialize back the configdata

5
blocks/rss_client/edit_form.php
View file

@ -49,9 +49,8 @@ class block_rss_client_edit_form extends block_edit_form {
$insql = ''; $insql = '';
$params = array('userid' => $USER->id); $params = array('userid' => $USER->id);
$rssconfig = unserialize(base64_decode($this->block->instance->configdata)); if (!empty($this->block->config) && !empty($this->block->config->rssid)) {
if ($rssconfig && !empty($rssconfig->rssid)) { list($insql, $inparams) = $DB->get_in_or_equal($this->block->config->rssid, SQL_PARAMS_NAMED);
list($insql, $inparams) = $DB->get_in_or_equal($rssconfig->rssid, SQL_PARAMS_NAMED);
$insql = "OR id $insql "; $insql = "OR id $insql ";
$params += $inparams; $params += $inparams;
} }

2
blocks/tags/backup/moodle2/restore_tags_block_task.class.php
View file

@ -57,7 +57,7 @@ class restore_tags_block_task extends restore_block_task {
// Extract block configdata and remove tag collection reference if this is another site. Also map contextid. // Extract block configdata and remove tag collection reference if this is another site. Also map contextid.
if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) { if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) {
$config = unserialize(base64_decode($configdata)); $config = $this->decode_configdata($configdata);
$changed = false; $changed = false;
if (!empty($config->tagcoll) && $config->tagcoll > 1 && !$this->is_samesite()) { if (!empty($config->tagcoll) && $config->tagcoll > 1 && !$this->is_samesite()) {
$config->tagcoll = 0; $config->tagcoll = 0;