Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
I think for security purposes we need to be doing json here instead of PHP serialization since this is field values on an entity. It's unfortunate that the serialize blog stuff doesn't just support a format so that we don't have to manually intervene to make json happen.
From #2905922-24: Implementation issue for Layout Builder
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#8 | 2914503-8.patch | 676 bytes | jibran |
Comments
Comment #2
tim.plunkett#2232427: Allow field types to control how properties are mapped to and from storage
Comment #3
samuel.mortenson@tim.plunkett I reviewed the module and couldn't find any security issues specifically related to serialization. When you use a serialized column the unserialization/serialization happens before a user gets or sets the value of a field, which means that object injection is not possible by setting the value of the field to a serialized string. That said, I discovered follow up items we should address in new issues:
Comment #4
tim.plunkettThanks @samuel.mortenson!
Comment #6
samuel.mortensonI've created #2942975: [PP-1] Expose Layout Builder data to REST and JSON:API and #2942976: Add REST test coverage for Layout Builder, which cover points one and two from comment #3.
I don't think we should file an issue for #3.3 until we start work on a Normalizer - if we find that supporting the current storage format is too complicated, we can look at moving to JSON.
Comment #7
jibranThere is a todo in core pointing towards this issue.
Comment #8
jibranComment #9
samuel.mortenson@jibran Great catch, thanks!
Comment #10
alexpottCommitted and pushed b5d11aeac5 to 8.6.x and fcd1465565 to 8.5.x. Thanks!
Comment #13
tim.plunkett