Problem/Motivation
Some files from module shows the error "unserialize() is insecure unless allowed classes are limited. Use a safe format like JSON or use the allowed_classes option." when verifying code standards with PHPCS.
Steps to reproduce
Run the following command at module folder:
phpcs --standard=Drupal,DrupalPractice --extensions=php,module,inc,install,test,profile,theme,css,info,md,yml *
Proposed resolution
Change the code to use the allowed_classes option.
Issue fork webform-3318334
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #3
adaucyjCould someone review it, please.
Comment #4
erikaagp CreditAttribution: erikaagp at CI&T commentedI'll review it
Comment #5
cilefen CreditAttribution: cilefen as a volunteer commentedI think there is a base branch issue with this merge request because it changes 360 files! It needs that fixed before it can be reviewed.
Comment #8
adaucyjHello, @cilefen. Thanks for notice that. I created a new MR, now pointing to the right branch and having only the commit regarding to this issue.
Could someone review it, please?
Comment #9
erikaagp CreditAttribution: erikaagp at CI&T commentedGreat! I didn't find any phpcs error related with "Error: unserialize() is insecure". So I think I can move it to RTBC. There are other phpcs errors, but none of them is related with this.
Comment #10
jrockowitz CreditAttribution: jrockowitz as a volunteer and at Webform module Open Collective, The Big Blue House commentedWhere does Drupal core stand on this issue?
There are insecure instances of unserialize() in Drupal core.
Shouldn't this be fixed in 6.1.x?
Comment #14
jrockowitz CreditAttribution: jrockowitz as a volunteer and at Webform module Open Collective, The Big Blue House commentedI am seeing this a lot in contrib module. I am just going to commit the patch.