Findings of classes are not allowed for unserialization

slackero · slackero · commit c8edf973aecb · 2025-06-02T09:32:02.000+02:00
diff --git a/include/inc_front/content/cnt13.article.inc.php b/include/inc_front/content/cnt13.article.inc.php
@@ -278,7 +278,7 @@
 
                             case 29:    $s_text .= ' '.$scrow['acontent_text'];
                             case 2:     if($content['search']['search_caption'] || $content['search']['search_filename']) {
-                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form']);
+                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form'], ['allowed_classes' => false]);
                                             if(isset($scrow['acontent_form']['images']) && is_array($scrow['acontent_form']['images']) && count($scrow['acontent_form']['images'])) {
                                                 $s_imgname = '';
                                                 foreach($scrow['acontent_form']['images'] as $s_imgtext) {
@@ -306,7 +306,7 @@
 
                             case 31:    $s_text .= ' '.$scrow['acontent_html'];
                                         if($content['search']['search_caption'] || $content['search']['search_filename']) {
-                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form']);
+                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form'], ['allowed_classes' => false]);
                                             if(isset($scrow['acontent_form']['images']) && is_array($scrow['acontent_form']['images']) && count($scrow['acontent_form']['images'])) {
                                                 foreach($scrow['acontent_form']['images'] as $s_imgtext) {
                                                     if($content['search']['search_caption']) {
@@ -323,7 +323,7 @@
 
                             // search recipe
                             case 26:    $s_text .= ' '.$scrow['acontent_text'].' '.$scrow['acontent_html'];
-                                        $scrow['acontent_form'] = @unserialize($scrow['acontent_form']);
+                                        $scrow['acontent_form'] = @unserialize($scrow['acontent_form'], ['allowed_classes' => false]);
                                         if(isset($scrow['acontent_form']['preparation'])) {
                                             $s_text .= ' '.$scrow['acontent_form']['preparation'].' '.$scrow['acontent_form']['ingredients'];
                                             $s_text .= ' '.$scrow['acontent_form']['calorificvalue'].' '.$scrow['acontent_form']['calorificvalue_add'];
diff --git a/include/inc_front/content/cnt2.article.inc.php b/include/inc_front/content/cnt2.article.inc.php
@@ -10,7 +10,7 @@
  **/
 
 //images (gallery)
-$image = @unserialize($crow["acontent_form"]);
+$image = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
 if(is_array($image) && ($image_count = count($image))) {
 
diff --git a/include/inc_front/content/cnt21.article.inc.php b/include/inc_front/content/cnt21.article.inc.php
@@ -34,7 +34,7 @@
 }
 
 $CNT_TMP .= headline($crow['acontent_title'], $crow['acontent_subtitle'], $template_default['article']);
-$content['page_file'] = @unserialize($crow['acontent_form']);
+$content['page_file'] = @unserialize($crow['acontent_form'], ['allowed_classes' => false]);
 if(!empty($content['page_file']['source'])) {
 	$CNT_TMP .= empty($content['page_file']['pfile']) ? '' : include_url($content['page_file']['pfile']);
 } elseif(!empty($content['page_file']['pfile'])) {
diff --git a/include/inc_front/content/cnt25.article.inc.php b/include/inc_front/content/cnt25.article.inc.php
@@ -78,7 +78,7 @@ function get_mediaplayer_stream($fileid=0, $flash=false) {
 
 }
 
-$fmp_data = @unserialize($crow["acontent_form"]);
+$fmp_data = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
 if(isset($fmp_data['fmp_template'])) {
 
diff --git a/include/inc_front/content/cnt27.article.inc.php b/include/inc_front/content/cnt27.article.inc.php
@@ -18,7 +18,7 @@
 
 //FAQ
 
-$crow["acontent_form"]	= @unserialize($crow["acontent_form"]);
+$crow["acontent_form"]	= @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 $crow["acontent_image"]	= empty($crow["acontent_image"]) ? '' : explode(":", $crow["acontent_image"]);
 
 if(!empty($crow["acontent_form"]['faq_template']) && file_exists(PHPWCMS_TEMPLATE.'inc_cntpart/faq/'.$crow["acontent_form"]['faq_template'])) {
diff --git a/include/inc_front/content/cnt28.article.inc.php b/include/inc_front/content/cnt28.article.inc.php
@@ -37,7 +37,7 @@
 
 if(!empty($crow["acontent_template"]) && is_file(PHPWCMS_TEMPLATE.'inc_cntpart/felogin/'.$crow["acontent_template"])) {
 
-    $_loginData                     = @unserialize($crow["acontent_form"]);
+    $_loginData                     = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
     $_loginData['template']         = render_device( @file_get_contents(PHPWCMS_TEMPLATE.'inc_cntpart/felogin/'.$crow["acontent_template"]) );
 
diff --git a/include/inc_front/content/cnt31.article.inc.php b/include/inc_front/content/cnt31.article.inc.php
@@ -22,7 +22,7 @@
 
 //images (gallery)
 
-$image  = @unserialize($crow["acontent_form"]);
+$image  = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 $crow['acontent_template_listmode'] = empty($crow['acontent_template_listmode']) ? false : true;
 if(empty($image['fieldgroup'])) {
     $image['fieldgroup'] = '';
diff --git a/include/inc_front/content/cnt8.article.inc.php b/include/inc_front/content/cnt8.article.inc.php
@@ -22,7 +22,7 @@
 // Check if custom array is given or parse it based on the default behavior
 if(!isset($content['alink']['inject'])) {
 
-    $content['alink'] = @unserialize($crow["acontent_form"]);
+    $content['alink'] = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
     if(!isset($content['alink']['alink_id'])) {
         $content['alink']['alink_id'] = explode(':', $crow['acontent_alink']);
diff --git a/include/inc_front/content/cnt9.article.inc.php b/include/inc_front/content/cnt9.article.inc.php
@@ -33,7 +33,7 @@
 
 }
 
-$media              = @unserialize($crow['acontent_form']);
+$media              = @unserialize($crow['acontent_form'], ['allowed_classes' => false]);
 $media["source"]    = '';
 $media["code"]      = '';
 $media["alt"]       = '';
diff --git a/include/inc_front/content/cnt_functions/cnt13.func.inc.php b/include/inc_front/content/cnt_functions/cnt13.func.inc.php
@@ -204,7 +204,7 @@ function search() {
 				$s_text .= ', '.$value['cnt_editor'];
 			}
 
-			$value['cnt_object'] = @unserialize($value['cnt_object']);
+			$value['cnt_object'] = @unserialize($value['cnt_object'], ['allowed_classes' => false]);
 
 			if(!empty($value['cnt_object']['cnt_searchoff'])) {
 				continue;
diff --git a/include/inc_front/ext.func.inc.php b/include/inc_front/ext.func.inc.php
@@ -805,7 +805,7 @@ function get_article_data($article_id, $limit=0, $sort='', $where='', $not=array
             "article_sort"      => $row["article_sort"],
             "article_notitle"   => $row["article_notitle"],
             "article_created"   => $row["article_created"],
-            "article_image"     => @unserialize($row["article_image"]),
+            "article_image"     => @unserialize($row["article_image"], ['allowed_classes' => false]),
             "article_timeout"   => $row["article_cache"],
             "article_nosearch"  => $row["article_nosearch"],
             "article_nositemap" => $row["article_nositemap"],
@@ -850,7 +850,7 @@ function get_article_data($article_id, $limit=0, $sort='', $where='', $not=array
                     $data[$aid]["article_summary"]  = $alias_row["article_summary"];
                     $data[$aid]["article_redirect"] = $alias_row["article_redirect"];
                     $data[$aid]["article_date"]     = $alias_row["article_date"];
-                    $data[$aid]["article_image"]    = @unserialize($alias_row["article_image"]);
+                    $data[$aid]["article_image"]    = @unserialize($alias_row["article_image"], ['allowed_classes' => false]);
                     $data[$aid]["article_begin"]    = $alias_row["article_begin"];
                     $data[$aid]["article_end"]      = $alias_row["article_end"];
                     $data[$aid]['article_livedate'] = $alias_row["article_livedate"];
diff --git a/include/inc_module/mod_ads/inc/ads.fe_init.inc.php b/include/inc_module/mod_ads/inc/ads.fe_init.inc.php
@@ -31,7 +31,7 @@
 	$ad_data = _dbQuery($sql);
 
 	if(!empty($ad_data[0]['adcampaign_data'])) {
-		$ad_data = @unserialize($ad_data[0]['adcampaign_data']);
+		$ad_data = @unserialize($ad_data[0]['adcampaign_data'], ['allowed_classes' => false]);
 
 		$ads_userip		= PHPWCMS_GDPR_MODE ? getAnonymizedIp() : getRemoteIP();
 		$ads_useragent	= $_SERVER['HTTP_USER_AGENT'];
diff --git a/include/inc_module/mod_ads/inc/ads.fe_render.inc.php b/include/inc_module/mod_ads/inc/ads.fe_render.inc.php
@@ -80,7 +80,7 @@ function renderAds($match) {
 		return '';
 	}
 
-	$ad['adcampaign_data']	= @unserialize($ad['adcampaign_data']);
+	$ad['adcampaign_data']	= @unserialize($ad['adcampaign_data'], ['allowed_classes' => false]);
 	$ad['dir']				= PHPWCMS_CONTENT.PHPWCMS_ADS_DIR.'/'.$ad['adcampaign_id'];
 	$ad['content_dir']		= CONTENT_PATH.PHPWCMS_ADS_DIR.'/'.$ad['adcampaign_id'].'/';
 	if($ad['adcampaign_type']!=2 && $ad['adcampaign_type']!=4 && !is_dir($ad['dir'])) {
diff --git a/include/inc_module/mod_ads/inc/processing.inc.php b/include/inc_module/mod_ads/inc/processing.inc.php
@@ -73,7 +73,7 @@
     $sql .= 'FROM '.DB_PREPEND.'phpwcms_ads_campaign WHERE adcampaign_id='.$plugin['id'];
     $plugin['data'] = _dbQuery($sql);
     $plugin['data'] = $plugin['data'][0];
-    $plugin['data']['adcampaign_data'] = @unserialize($plugin['data']['adcampaign_data']);
+    $plugin['data']['adcampaign_data'] = @unserialize($plugin['data']['adcampaign_data'], ['allowed_classes' => false]);
     if(!is_array($plugin['data']['adcampaign_data'])) {
         $plugin['data']['adcampaign_data'] = array(
 
diff --git a/include/inc_module/mod_calendar/inc/processing.inc.php b/include/inc_module/mod_calendar/inc/processing.inc.php
@@ -188,7 +188,7 @@
     $plugin['data'] = _dbQuery($sql);
     $plugin['data'] = $plugin['data'][0];
 
-    $plugin['data']['calendar_object'] = @unserialize($plugin['data']['calendar_object']);
+    $plugin['data']['calendar_object'] = @unserialize($plugin['data']['calendar_object'], ['allowed_classes' => false]);
 
     if(is_array($plugin['data']['calendar_object'])) {
         if(isset($plugin['data']['calendar_object']['image'])) {
diff --git a/include/inc_module/mod_glossary/inc/cnt.article.php b/include/inc_module/mod_glossary/inc/cnt.article.php
@@ -22,7 +22,7 @@
 // if you ant to access module vars check that var
 // $phpwcms['modules'][$crow["acontent_module"]]
 
-$content['glossary'] = @unserialize($crow["acontent_form"]);
+$content['glossary'] = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
 // check for template and load default in case of error
 if(empty($content['glossary']['glossary_template'])) {
diff --git a/include/inc_module/mod_shop/api.shop.php b/include/inc_module/mod_shop/api.shop.php
@@ -93,7 +93,7 @@ function _convert_charset($string) {
 
         foreach($data as $row) {
 
-            $row['order_data'] = @unserialize($row['order_data']);
+            $row['order_data'] = @unserialize($row['order_data'], ['allowed_classes' => false]);
 
             // fallback for additional fields
 
diff --git a/include/inc_module/mod_shop/frontend.render.php b/include/inc_module/mod_shop/frontend.render.php
@@ -799,7 +799,7 @@
             $row['gross']   = number_format($row['gross'], $_tmpl['config']['price_decimals'], $_tmpl['config']['dec_point'], $_tmpl['config']['thousands_sep']);
             $row['weight']  = $row['shopprod_weight'] > 0 ? number_format($row['shopprod_weight'], $_tmpl['config']['weight_decimals'], $_tmpl['config']['dec_point'], $_tmpl['config']['thousands_sep']) : '';
 
-            $row['shopprod_var'] = @unserialize($row['shopprod_var']);
+            $row['shopprod_var'] = @unserialize($row['shopprod_var'], ['allowed_classes' => false]);
             $row['shopprod_var']['request'] = !empty($row['shopprod_var']['request']);
             if (empty($row['shopprod_var']['request_url'])) {
                 $row['shopprod_var']['request_url'] = trim($_tmpl['config']['default_request_url']);
diff --git a/include/inc_module/mod_shop/inc/listing.orders.inc.php b/include/inc_module/mod_shop/inc/listing.orders.inc.php
@@ -58,7 +58,7 @@
         echo '<td class="dir nowrap" width="13%">';
 
         if(SHOP_FELANG_SUPPORT) {
-            $row['order_data']		= @unserialize($row['order_data']);
+            $row['order_data']		= @unserialize($row['order_data'], ['allowed_classes' => false]);
             $row['shopprod_lang']	= empty($row['order_data']['lang']) ? '' : html_specialchars(strtolower($row['order_data']['lang']));
             echo '<img src="img/famfamfam/lang/'.($row['shopprod_lang'] ? $row['shopprod_lang'] : 'all').'.png" alt="'.$row['shopprod_lang'].'" style="position:relative;top:1px;margin:0 3px 0 3px;" />';
         }
diff --git a/include/inc_module/mod_shop/inc/processing.orders.inc.php b/include/inc_module/mod_shop/inc/processing.orders.inc.php
@@ -68,7 +68,7 @@
 	if(isset($plugin['data'][0])) {
 
 		$plugin['data'] = $plugin['data'][0];
-		$plugin['data']['order_data'] = @unserialize($plugin['data']['order_data']);
+		$plugin['data']['order_data'] = @unserialize($plugin['data']['order_data'], ['allowed_classes' => false]);
 
 	} else {
 
diff --git a/include/inc_module/mod_shop/inc/processing.products.inc.php b/include/inc_module/mod_shop/inc/processing.products.inc.php
@@ -371,7 +371,7 @@
             $plugin['data']['shopprod_changedate']	= strtotime($plugin['data']['shopprod_changedate']);
             $plugin['data']['shopprod_category']	= convertStringToArray($plugin['data']['shopprod_category']);
 
-            $plugin['data']['shopprod_var']			= @unserialize($plugin['data']['shopprod_var']);
+            $plugin['data']['shopprod_var']			= @unserialize($plugin['data']['shopprod_var'], ['allowed_classes' => false]);
             if(isset($plugin['data']['shopprod_var']['images']) && is_array($plugin['data']['shopprod_var']['images'])) {
                 $plugin['data']['shopprod_images']	= $plugin['data']['shopprod_var']['images'];
             } else {
diff --git a/template/inc_script/frontend_render/disabled/list_form_entries.php b/template/inc_script/frontend_render/disabled/list_form_entries.php
@@ -66,7 +66,7 @@
     foreach($_form_entries['ALL'] as $_form_entries_value) {
 
         $_form_entries['ENTRIES'][$_fc] = $_form_entries['ENTRY'];
-        $_form_entries_value = @unserialize($_form_entries_value['formresult_content']);
+        $_form_entries_value = @unserialize($_form_entries_value['formresult_content'], ['allowed_classes' => false]);
         foreach($_form_entries_value as $_form_entries_key => $_form_entries_value1) {
 
             if(isset($_form_entries['SELECT'][$_form_entries_key])) {

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`$CNT_TMP .= headline($crow['acontent_title'], $crow['acontent_subtitle'], $template_default['article']);`
`37`		`-$content['page_file'] = @unserialize($crow['acontent_form']);`
	`37`	`+$content['page_file'] = @unserialize($crow['acontent_form'], ['allowed_classes' => false]);`
`38`	`38`	`if(!empty($content['page_file']['source'])) {`
`39`	`39`	`$CNT_TMP .= empty($content['page_file']['pfile']) ? '' : include_url($content['page_file']['pfile']);`
`40`	`40`	`} elseif(!empty($content['page_file']['pfile'])) {`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ function get_mediaplayer_stream($fileid=0, $flash=false) {`
`78`	`78`
`79`	`79`	`}`
`80`	`80`
`81`		`-$fmp_data = @unserialize($crow["acontent_form"]);`
	`81`	`+$fmp_data = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);`
`82`	`82`
`83`	`83`	`if(isset($fmp_data['fmp_template'])) {`
`84`	`84`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@`
`33`	`33`
`34`	`34`	`}`
`35`	`35`
`36`		`-$media = @unserialize($crow['acontent_form']);`
	`36`	`+$media = @unserialize($crow['acontent_form'], ['allowed_classes' => false]);`
`37`	`37`	`$media["source"] = '';`
`38`	`38`	`$media["code"] = '';`
`39`	`39`	`$media["alt"] = '';`
Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ function search() {`
`204`	`204`	`$s_text .= ', '.$value['cnt_editor'];`
`205`	`205`	`}`
`206`	`206`
`207`		`- $value['cnt_object'] = @unserialize($value['cnt_object']);`
	`207`	`+ $value['cnt_object'] = @unserialize($value['cnt_object'], ['allowed_classes' => false]);`
`208`	`208`
`209`	`209`	`if(!empty($value['cnt_object']['cnt_searchoff'])) {`
`210`	`210`	`continue;`