Thijs/wiki.techinc.nl

Fork 0

Commit graph

Author	SHA1	Message	Date
Tim Starling	21352255ad	Protect HistoryBlob storage against malicious class injection * Add a safe unserialize() wrapper for HistoryBlob classes * Add a safe unserialize() wrapper for plain array data as used for compressed internal storage by ConcatenatedGzipHistoryBlob and DiffHistoryBlob. * Fix tests broken by this. * Fix unnecessary call to uncompress(), __wakeup() does this already. Was a phan error now that we have more information about the type of $obj. * Add tests for successful unserialize and wakeup of WMF production data. Change-Id: Ic995dda16d9c6045b33f2fdae7f6575ac8329976	2022-12-02 00:26:11 +00:00

Author

SHA1

Message

Date

Tim Starling

21352255ad

Protect HistoryBlob storage against malicious class injection

* Add a safe unserialize() wrapper for HistoryBlob classes
* Add a safe unserialize() wrapper for plain array data as used for
  compressed internal storage by ConcatenatedGzipHistoryBlob and
  DiffHistoryBlob.
* Fix tests broken by this.
* Fix unnecessary call to uncompress(), __wakeup() does this already.
  Was a phan error now that we have more information about the type of
  $obj.
* Add tests for successful unserialize and wakeup of WMF production
  data.

Change-Id: Ic995dda16d9c6045b33f2fdae7f6575ac8329976

2022-12-02 00:26:11 +00:00

1 commit