Skip to content

1.4.1
Compare
Choose a tag to compare
@StijnVrolijk StijnVrolijk released this 29 May 09:15
· 2 commits to 1-4-1-base since this release
1.4.1
1468657

Security release:
#69
If a user sets a cookie containing an object it might execute some code inside the object when unserializing the object through the __wakeup magic method.

This pull request attempts to prevent this by setting and getting cookies through json encode/decode. We've also provided some fallback by checking if the cookie's string contains a serialized object. If it doesn't, we still unserialize the cookie and re-set it using json_encode. If the cookie does contain a serialized object an exception will be thrown.

This security fix will break your website if objects are set in cookies.

See https://www.owasp.org/index.php/PHP_Object_Injection for example

Assets 2
Loading