get rid of serialization completely to avoid possible code execution, fixes #555
Signed-off-by: Michael Kaufmann <michael.kaufmann@aixit.com>
This commit is contained in:
Michael Kaufmann
@@ -692,7 +692,7 @@ opcache.interned_strings_buffer'),
|
||||
('panel', 'password_special_char', '!?<>§$%+#=@'),
|
||||
('panel', 'customer_hide_options', ''),
|
||||
('panel', 'version', '0.9.39.5'),
|
||||
('panel', 'db_version', '201805241');
|
||||
('panel', 'db_version', '201805290');
|
||||
|
||||
|
||||
DROP TABLE IF EXISTS `panel_tasks`;
|
||||
|
||||
@@ -1015,6 +1015,16 @@ class FroxlorInstall
|
||||
$content .= $this->_status_message('green', $this->_lng['requirements']['installed']);
|
||||
}
|
||||
|
||||
// check for json extension
|
||||
$content .= $this->_status_message('begin', $this->_lng['requirements']['phpjson']);
|
||||
|
||||
if (! extension_loaded('json')) {
|
||||
$content .= $this->_status_message('red', $this->_lng['requirements']['notinstalled']);
|
||||
$_die = true;
|
||||
} else {
|
||||
$content .= $this->_status_message('green', $this->_lng['requirements']['installed']);
|
||||
}
|
||||
|
||||
// check for bcmath extension
|
||||
$content .= $this->_status_message('begin', $this->_lng['requirements']['phpbcmath']);
|
||||
|
||||
@@ -1033,15 +1043,6 @@ class FroxlorInstall
|
||||
$content .= $this->_status_message('green', $this->_lng['requirements']['installed']);
|
||||
}
|
||||
|
||||
// check for json extension
|
||||
$content .= $this->_status_message('begin', $this->_lng['requirements']['phpjson']);
|
||||
|
||||
if (! extension_loaded('json')) {
|
||||
$content .= $this->_status_message('orange', $this->_lng['requirements']['notinstalled'] . "<br />" . $this->_lng['requirements']['jsondescription']);
|
||||
} else {
|
||||
$content .= $this->_status_message('green', $this->_lng['requirements']['installed']);
|
||||
}
|
||||
|
||||
// check for open_basedir
|
||||
$content .= $this->_status_message('begin', $this->_lng['requirements']['openbasedir']);
|
||||
$php_ob = @ini_get("open_basedir");
|
||||
|
||||
@@ -38,7 +38,6 @@ $lng['requirements']['phpzip'] = 'PHP zip-extension...';
|
||||
$lng['requirements']['phpjson'] = 'PHP json-extension...';
|
||||
$lng['requirements']['bcmathdescription'] = 'Traffic-calculation related functions will not work correctly!';
|
||||
$lng['requirements']['zipdescription'] = 'The auto-update feature requires the zip extension.';
|
||||
$lng['requirements']['jsondescription'] = 'The settings import/export feature requires the json extension.';
|
||||
$lng['requirements']['openbasedir'] = 'open_basedir...';
|
||||
$lng['requirements']['openbasedirenabled'] = 'Froxlor will not work properly with open_basedir enabled. Please disable open_basedir for Froxlor in the coresponding php.ini';
|
||||
$lng['requirements']['diedbecauseofrequirements'] = 'Cannot install Froxlor without these requirements! Try to fix them and retry.';
|
||||
|
||||
@@ -38,7 +38,6 @@ $lng['requirements']['phpzip'] = 'PHP zip-Erweiterung...';
|
||||
$lng['requirements']['phpjson'] = 'PHP json-Erweiterung...';
|
||||
$lng['requirements']['bcmathdescription'] = 'Traffic-Berechnungs bezogene Funktionen stehen nicht vollständig zur Verfügung!';
|
||||
$lng['requirements']['zipdescription'] = 'Die Auto-Update Funktion benötigt die zip Erweiterung.';
|
||||
$lng['requirements']['jsondescription'] = 'Die Einstellungen Import/Export Funktion benötigt die json Erweiterung.';
|
||||
$lng['requirements']['openbasedir'] = 'open_basedir genutzt wird...';
|
||||
$lng['requirements']['openbasedirenabled'] = 'Froxlor wird mit aktiviertem open_basedir nicht vollständig funktionieren. Bitte deaktivieren Sie open_basedir für Froxlor in der entsprechenden php.ini';
|
||||
$lng['requirements']['diedbecauseofrequirements'] = 'Kann Froxlor ohne diese Voraussetzungen nicht installieren! Beheben Sie die angezeigten Probleme und versuchen Sie es erneut.';
|
||||
|
||||
@@ -3968,3 +3968,33 @@ if (isDatabaseVersion('201805240')) {
|
||||
|
||||
updateToDbVersion('201805241');
|
||||
}
|
||||
|
||||
if (isDatabaseVersion('201805241')) {
|
||||
|
||||
$do_update = true;
|
||||
showUpdateStep("Checking for required PHP json-extension");
|
||||
if (! extension_loaded('json')) {
|
||||
$do_update = false;
|
||||
lastStepStatus(2, 'not installed');
|
||||
} else {
|
||||
lastStepStatus(0);
|
||||
|
||||
showUpdateStep("Checking for current cronjobs that need converting");
|
||||
$result_tasks_stmt = Database::query("
|
||||
SELECT * FROM `" . TABLE_PANEL_TASKS . "` ORDER BY `id` ASC
|
||||
");
|
||||
$upd_stmt = Database::prepare("UPDATE `" . TABLE_PANEL_TASKS . "` SET `data` = :data WHERE `id` = :taskid");
|
||||
while ($row = $result_tasks_stmt->fetch(PDO::FETCH_ASSOC)) {
|
||||
if (! empty($row['data'])) {
|
||||
$data = unserialize($row['data']);
|
||||
Database::pexecute($upd_stmt, array(
|
||||
'data' => json_encode($data),
|
||||
'taskid' => $row['id']
|
||||
));
|
||||
}
|
||||
}
|
||||
lastStepStatus(0);
|
||||
|
||||
updateToDbVersion('201805290');
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user