pecintaseni
/
engineN
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 Commits
1 Branch
0 Tags
510 MiB
Tree: afaa7487f2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'afaa7487f2'
${ noResults }
engineN/system/ThirdParty/Kint/Parser/SerializePlugin.php

110 lines
3.5 KiB
Raw Normal View History Unescape

replace Index
1 year ago
<?php
declare(strict_types=1);
/*
* The MIT License (MIT)
*
* Copyright (c) 2013 Jonathan Vollebregt (jnvsor@gmail.com), Rokas Šleinius (raveren@gmail.com)
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
namespace Kint\Parser;
use Kint\Zval\Representation\Representation;
use Kint\Zval\Value;
class SerializePlugin extends AbstractPlugin
{
/**
* Disables automatic unserialization on arrays and objects.
*
* As the PHP manual notes:
*
* > Unserialization can result in code being loaded and executed due to
* > object instantiation and autoloading, and a malicious user may be able
* > to exploit this.
*
* The natural way to stop that from happening is to just refuse to unserialize
* stuff by default. Which is what we're doing for anything that's not scalar.
*
* @var bool
*/
public static $safe_mode = true;
/**
* @var bool|class-string[]
*/
public static $allowed_classes = false;
public function getTypes(): array
{
return ['string'];
}
public function getTriggers(): int
{
return Parser::TRIGGER_SUCCESS;
}
public function parse(&$var, Value &$o, int $trigger): void
{
$trimmed = \rtrim($var);
if ('N;' !== $trimmed && !\preg_match('/^(?:[COabis]:\\d+[:;]|d:\\d+(?:\\.\\d+);)/', $trimmed)) {
return;
}
$options = ['allowed_classes' => self::$allowed_classes];
if (!self::$safe_mode || !\in_array($trimmed[0], ['C', 'O', 'a'], true)) {
// Suppress warnings on unserializeable variable
$data = @\unserialize($trimmed, $options);
if (false === $data && 'b:0;' !== \substr($trimmed, 0, 4)) {
return;
}
}
$base_obj = new Value();
$base_obj->depth = $o->depth + 1;
$base_obj->name = 'unserialize('.$o->name.')';
if ($o->access_path) {
$base_obj->access_path = 'unserialize('.$o->access_path;
if (true === self::$allowed_classes) {
$base_obj->access_path .= ')';
} else {
$base_obj->access_path .= ', '.\var_export($options, true).')';
}
}
$r = new Representation('Serialized');
if (isset($data)) {
$r->contents = $this->parser->parse($data, $base_obj);
} else {
$base_obj->hints[] = 'blacklist';
$r->contents = $base_obj;
}
$o->addRepresentation($r, 0);
}
}