diff options
author | Stefan Giehl <stefan@matomo.org> | 2021-05-12 02:11:45 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-12 02:11:45 +0300 |
commit | ba6be4072538eaf54625ebfcead626107836c818 (patch) | |
tree | 6a83f871a4be249465d689a504bf8910e6f73165 | |
parent | c40c4b3d65e8f08dd44522b47cd5d1bba416009b (diff) |
Use Common::safe_unserialize for session data (#17539)
* Use safe_unserialize in Session
* Allow Notification class in session
* update readme
-rw-r--r-- | CHANGELOG.md | 1 | ||||
-rw-r--r-- | libs/README.md | 4 | ||||
-rw-r--r-- | libs/Zend/Session.php | 4 |
3 files changed, 5 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 787faa8092..d82339ef1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ The Product Changelog at **[matomo.org/changelog](https://matomo.org/changelog)* ### Breaking Changes * Before every JS error was tracked, from this version the same JS error will be only tracked once per page view. If the very same error is happening multiple times, then it will be tracked only once within the same page view. If another page view is tracked or when the page reloads, then the error will be tracked again. +* It's no longer possible to store any class instances directly in the session object. Please use arrays or plain data instead. ### Upcoming Breaking Changes diff --git a/libs/README.md b/libs/README.md index 999c5c732c..8e911a9e72 100644 --- a/libs/README.md +++ b/libs/README.md @@ -13,10 +13,8 @@ third-party libraries: - in r3040, exception classes don't follow PEAR naming convention * Zend/ - strip require_once (to support autoloading) - - in r3694, fix ZF-10888 and ZF-10835 - - ZF-10871 - undefined variables when socket support disabled - fix #6980 ("Array to string conversion") in `Zend/Session/Exception.php` - - fix Zend/Validate using deprecated iconv_set_encoding() + - various adjustments to remove unused parts of Zend Framework - Make sure sessions work when storing notifications * materialize/ - in materialize.min.css removed the loading of Roboto fonts as the paths do not match and couldn't be loaded. Also diff --git a/libs/Zend/Session.php b/libs/Zend/Session.php index f097920613..cc7dae12b3 100644 --- a/libs/Zend/Session.php +++ b/libs/Zend/Session.php @@ -521,7 +521,9 @@ class Zend_Session extends Zend_Session_Abstract } if (isset($_SESSION['data']) && is_string($_SESSION['data'])) { - $_SESSION = unserialize(base64_decode($_SESSION['data'])); + $_SESSION = \Piwik\Common::safe_unserialize(base64_decode($_SESSION['data']), [ + \Piwik\Notification::class + ]); } // run validators if they exist |