$ phpcs --standard=Drupalpractice --extensions=php,module,inc,install,test,profile,theme,css,info,txt,md,yml post_api/
Xdebug: [Step Debug] Time-out connecting to debugging client, waited: 200 ms. Tried: localhost:9000 (through xdebug.client_host/xdebug.client_port) :-(

FILE: C:\Users\SI-001\Downloads\post_api\src\Form\PostApiQueueForm.php
--------------------------------------------------------------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
--------------------------------------------------------------------------------------------------------------------------------------------
112 | ERROR | unserialize() is insecure unless allowed classes are limited. Use a safe format like JSON or use the allowed_classes option.
--------------------------------------------------------------------------------------------------------------------------------------------

Time: 399ms; Memory: 8MB

CommentFileSizeAuthor
#5 unserialize-is-insecure-unless-allowed-classes-are-limited-3303851-4.patch3.99 KBdharti patel
#2 unserialize-is-insecure-unless-allowed-classes-are-limited-3303851-2.patch538 bytesrakhi soni

Issue fork post_api-3303851

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

Rakhi Soni created an issue. See original summary.

rakhi soni’s picture

rakhi soni commented
Assigned: rakhi soni » Unassigned
Status: Active » Needs review
StatusFileSize
new unserialize-is-insecure-unless-allowed-classes-are-limited-3303851-2.patch538 bytes

Kindly review patch,,

mauryarahul11’s picture

mauryarahul11
Location Mumbai, India
commented
Status: Needs review » Needs work

Thanks @Rakhi Soni for your patch, After applying your patch unserialize error is resolved but there are other errors and warnings i have found (listed below) when i ran phpcs with standards Drupal and DrupalPractice. Hence moving it to Needs Work.

FILE: /post_api/post_api.module
---------------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
---------------------------------------------------------------------------------
 45 | WARNING | [x] '@todo: add config setting for granular logging.' should match the format '@todo Fix problem X here.'
---------------------------------------------------------------------------------

FILE: /post_api/src/Service/AddToQueue.php
---------------------------------------------------------------------------------
FOUND 1 ERROR AND 1 WARNING AFFECTING 2 LINES
---------------------------------------------------------------------------------
 80 | WARNING | [x] '@todo: display warning if uid is not set for the item.' should match the format '@todo Fix problem X here.'
 97 | ERROR   | [x] Use null coalesce operator instead of ternary operator.
----------------------------------------------------------------------------------

FILE: /post_api/src/Plugin/QueueWorker/PostApiQueueBase.php
--------------------------------------------------------------------------------------------
FOUND 2 ERRORS AND 1 WARNING AFFECTING 3 LINES
--------------------------------------------------------------------------------------------
 176 | ERROR   | [x] Use null coalesce operator instead of ternary operator.
 178 | ERROR   | [x] Use null coalesce operator instead of ternary operator.
 226 | WARNING | [x] '@todo: allow API rate limit customization based on more granular time' should match the format '@todo Fix problem X here.'
--------------------------------------------------------------------------------------------

FILE: /post_api/src/Form/PostApiSettingsForm.php
------------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
-----------------------------------------------------------------------------
 13 | WARNING | The class short comment should describe what the class does and not simply repeat the class name
------------------------------------------------------------------------------

FILE: /post_api/src/Form/PostApiQueueForm.php
-----------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
-------------------------------------------------------------------------------
 19 | WARNING | The class short comment should describe what the class does and not simply repeat the class name
-------------------------------------------------------------------------------
dharti patel’s picture

dharti patel commented
Assigned: Unassigned » dharti patel

Hello,

I'll work on this issue.

Thanks!

dharti patel’s picture

dharti patel commented
Assigned: dharti patel » Unassigned
Status: Needs work » Needs review
StatusFileSize
new unserialize-is-insecure-unless-allowed-classes-are-limited-3303851-4.patch3.99 KB

Hello,

I have created a patch to fix this issue.
Kindly review the patch.

Thanks!

mauryarahul11’s picture

mauryarahul11
Location Mumbai, India
commented
Status: Needs review » Reviewed & tested by the community

Thanks @Dharti Patel, I reviewed your patch and after applying it, i can not see any errors and warnings related to phpcs. Hence moving it to RTBC.

Thanks!

swirt’s picture

swirt
he/him
Primary language English
commented
Issue tags: -

I am accepting the patch from #2 as it was focused on the problem of this issue.
Patch #5 tried to resolve unrelated issues.

swirt opened merge request !3

  • swirt committed da2c6177 on 2.x 
    Resolve #3303851 Unserialize is insecure
swirt’s picture

swirt
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed
swirt’s picture

swirt
he/him
Primary language English
commented
Status: Fixed » Closed (fixed)

Release in 2.0.6