Server : Apache System : Linux server2.corals.io 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 15 09:17:08 EST 2021 x86_64 User : corals ( 1002) PHP Version : 7.4.33 Disable Function : exec,passthru,shell_exec,system Directory : /home/corals/mautic.corals.io/app/bundles/CoreBundle/Helper/ |
<?php
namespace Mautic\CoreBundle\Helper;
class Serializer
{
/**
* Unserializing a string can be a security vulnerability as it can contain classes that can execute a PHP code.
* PHP >=7 has the `['allowed_classes' => false]` option to disable classes altogether or whitelist those needed.
* PHP <7 do not accept the second parameter, throw warning and return false so we have to handle it differently.
* This helper method is secure for PHP >= 7 by default and handle all PHP versions.
*
* PHP does not recommend untrusted user input even with ['allowed_classes' => false]
*
* @param string $serializedString
*
* @return mixed
*/
public static function decode($serializedString, array $options = ['allowed_classes' => false])
{
if (1 === preg_match('/(^|;|{|})O:\+?[0-9]+:"/', $serializedString)) {
throw new \InvalidArgumentException(sprintf('The string %s contains an object.', $serializedString));
}
if (version_compare(phpversion(), '7.0.0', '<')) {
return unserialize($serializedString);
}
return unserialize($serializedString, $options);
}
}