Skip to content

2.3.9
Compare
Choose a tag to compare
@carakas carakas released this 20 May 13:56
· 113 commits to master since this release
2.3.9
9a97858
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Security release:
#69
If a user sets a cookie containing an object it might execute some code inside the object when unserializing the object through the __wakeup magic method.

This pull request attempts to prevent this by setting and getting cookies through json encode/decode. We've also provided some fallback by checking if the cookie's string contains a serialized object. If it doesn't, we still unserialize the cookie and re-set it using json_encode. If the cookie does contain a serialized object an exception will be thrown.

This security fix will break your website if objects are set in cookies.

See https://www.owasp.org/index.php/PHP_Object_Injection for example

Assets 2
Loading