Namespaces

Classes

1: <?php
2:
3: /*
4: * The MIT License (MIT)
5: *
6: * Copyright (c) 2013 Jonathan Vollebregt (jnvsor@gmail.com), Rokas Šleinius (raveren@gmail.com)
7: *
8: * Permission is hereby granted, free of charge, to any person obtaining a copy of
9: * this software and associated documentation files (the "Software"), to deal in
10: * the Software without restriction, including without limitation the rights to
11: * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
12: * the Software, and to permit persons to whom the Software is furnished to do so,
13: * subject to the following conditions:
14: *
15: * The above copyright notice and this permission notice shall be included in all
16: * copies or substantial portions of the Software.
17: *
18: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
20: * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
21: * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
22: * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
23: * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24: */
25:
26: namespace Kint\Parser;
27:
28: use Kint\Object\BasicObject;
29: use Kint\Object\Representation\Representation;
30:
31: class SerializePlugin extends Plugin
32: {
33: /**
34: * Disables automatic unserialization on arrays and objects.
35: *
36: * As the PHP manual notes:
37: *
38: * > Unserialization can result in code being loaded and executed due to
39: * > object instantiation and autoloading, and a malicious user may be able
40: * > to exploit this.
41: *
42: * The natural way to stop that from happening is to just refuse to unserialize
43: * stuff by default. Which is what we're doing for anything that's not scalar.
44: *
45: * @var bool
46: */
47: public static $safe_mode = true;
48: public static $options = array(true);
49:
50: public function getTypes()
51: {
52: return array('string');
53: }
54:
55: public function getTriggers()
56: {
57: return Parser::TRIGGER_SUCCESS;
58: }
59:
60: public function parse(&$var, BasicObject &$o, $trigger)
61: {
62: $trimmed = \rtrim($var);
63:
64: if ('N;' !== $trimmed && !\preg_match('/^(?:[COabis]:\\d+[:;]|d:\\d+(?:\\.\\d+);)/', $trimmed)) {
65: return;
66: }
67:
68: if (!self::$safe_mode || !\in_array($trimmed[0], array('C', 'O', 'a'), true)) {
69: // Second parameter only supported on PHP 7
70: if (KINT_PHP70) {
71: // Suppress warnings on unserializeable variable
72: $data = @\unserialize($trimmed, self::$options);
73: } else {
74: $data = @\unserialize($trimmed);
75: }
76:
77: if (false === $data && 'b:0;' !== \substr($trimmed, 0, 4)) {
78: return;
79: }
80: }
81:
82: $base_obj = new BasicObject();
83: $base_obj->depth = $o->depth + 1;
84: $base_obj->name = 'unserialize('.$o->name.')';
85:
86: if ($o->access_path) {
87: $base_obj->access_path = 'unserialize('.$o->access_path;
88: if (!KINT_PHP70 || self::$options === array(true)) {
89: $base_obj->access_path .= ')';
90: } elseif (self::$options === array(false)) {
91: $base_obj->access_path .= ', false)';
92: } else {
93: $base_obj->access_path .= ', Serialize::$options)';
94: }
95: }
96:
97: $r = new Representation('Serialized');
98:
99: if (isset($data)) {
100: $r->contents = $this->parser->parse($data, $base_obj);
101: } else {
102: $base_obj->hints[] = 'blacklist';
103: $r->contents = $base_obj;
104: }
105:
106: $o->addRepresentation($r, 0);
107: }
108: }
109:
API documentation generated by ApiGen v7.0.0-alpha.6