Not a bug Decode column value maybe unsafe?

truonglv

Well-known member
Affected version
DP 10
Hi,
In the XF1 with the data type serialize you using the Php::safeUnserialize method. But in XF2 for entity not using that method.

Line from 370 to 379 of file XF\Mvc\Entity\Entity
 
The data in the database must be assumed to be legitimate and thus trusted. If an attacker can modify your database to perform an object injection, then you have very big problems in general

Generally, what you say about XF1 isn't entirely true. We did use it in some situations as a fail safe check, but it should not be relied on. Further, both XF1 and XF2 have locations where objects are serialized into the DB and thus full unserialization is needed.

So essentially, there isn't really anything unsafe given that the data here is trusted.

On a side note though, we do recommend that you use JSON for new columns where appropriate. (You can change existing ones, but you need to convert all of the data.)
 
The data in the database must be assumed to be legitimate and thus trusted. If an attacker can modify your database to perform an object injection, then you have very big problems in general

Generally, what you say about XF1 isn't entirely true. We did use it in some situations as a fail safe check, but it should not be relied on. Further, both XF1 and XF2 have locations where objects are serialized into the DB and thus full unserialization is needed.

So essentially, there isn't really anything unsafe given that the data here is trusted.

On a side note though, we do recommend that you use JSON for new columns where appropriate. (You can change existing ones, but you need to convert all of the data.)
Seem it is my mistake. Yes, I plan switch to JSON for our columns as possible.
 
Top Bottom