diff --git a/lib/Compose.php b/lib/Compose.php index 92279a058..22112f942 100644 --- a/lib/Compose.php +++ b/lib/Compose.php @@ -811,7 +811,7 @@ public function buildAndSendMessage( )); /* Add preferred reply language(s). */ - if ($lang = @unserialize($prefs->getValue('reply_lang'))) { + if ($lang = @unserialize($prefs->getValue('reply_lang'), array('allowed_classes' => false))) { $headers->addHeader('Accept-Language', implode(',', $lang)); } diff --git a/lib/Factory/MailboxList.php b/lib/Factory/MailboxList.php index 564b44bf5..a3a99a5a2 100644 --- a/lib/Factory/MailboxList.php +++ b/lib/Factory/MailboxList.php @@ -57,7 +57,11 @@ public function create($mailbox) $mailbox = IMP_Mailbox::get($mailbox); if ($ob = $this->_getCache($mailbox)->get($key)) { - $ob = @unserialize($ob); + $ob = @unserialize($ob, array('allowed_classes' => array( + 'IMP_Mailbox_List_Virtual', + 'IMP_Mailbox_List_Pop3', + 'IMP_Mailbox_List', + ))); } if (!$ob) { diff --git a/lib/Flags.php b/lib/Flags.php index f7c9fdc74..6b510583c 100644 --- a/lib/Flags.php +++ b/lib/Flags.php @@ -71,7 +71,16 @@ public function __construct() } if ($f_list = $GLOBALS['prefs']->getValue('msgflags')) { - $f_list = @unserialize($f_list); + $f_list = @unserialize($f_list, array('allowed_classes' => array( + 'IMP_Flag_Imap_Answered', + 'IMP_Flag_Imap_Deleted', + 'IMP_Flag_Imap_Draft', + 'IMP_Flag_Imap_Flagged', + 'IMP_Flag_Imap_Forwarded', + 'IMP_Flag_Imap_Junk', + 'IMP_Flag_Imap_NotJunk', + 'IMP_Flag_Imap_Seen', + ))); if (is_array($f_list)) { foreach ($f_list as $val) { $this->_userflags[$val->id] = $val; diff --git a/lib/Ftree/Prefs/Expanded.php b/lib/Ftree/Prefs/Expanded.php index 1dfa8a95a..8ecd147bc 100644 --- a/lib/Ftree/Prefs/Expanded.php +++ b/lib/Ftree/Prefs/Expanded.php @@ -41,8 +41,13 @@ public function __construct() { global $prefs; - if (($folders = @unserialize($prefs->getValue('expanded_folders'))) && - is_array($folders)) { + $value = $prefs->getValue('expanded_folders'); + $folders = $value ? json_decode($value, true) : array(); + if (null === $folders && json_last_error() === JSON_ERROR_SYNTAX) { + // TODO: Remove backward compatibility with stored values + $folders = @unserialize($value, array('allowed_classes' => false)); + } + if (is_array($folders)) { $this->_data = $folders; } @@ -54,7 +59,7 @@ public function __construct() */ public function shutdown() { - $GLOBALS['prefs']->setValue('expanded_folders', serialize($this->_data)); + $GLOBALS['prefs']->setValue('expanded_folders', json_encode($this->_data, JSON_FORCE_OBJECT)); } /** diff --git a/lib/Ftree/Prefs/Poll.php b/lib/Ftree/Prefs/Poll.php index d9b2a2270..717b616f7 100644 --- a/lib/Ftree/Prefs/Poll.php +++ b/lib/Ftree/Prefs/Poll.php @@ -47,7 +47,13 @@ public function __construct(IMP_Ftree $ftree) $this->_data = array('INBOX' => 1); /* Add the list of polled mailboxes from the prefs. */ - if ($nav_poll = @unserialize($prefs->getValue('nav_poll'))) { + $value = $prefs->getValue('nav_poll'); + $nav_poll = $value ? json_decode($value, true) : array(); + if (null === $nav_poll && json_last_error() === JSON_ERROR_SYNTAX) { + // TODO: Remove backward compatibility with stored values + $nav_poll = @unserialize($value, array('allowed_classes' => false)); + } + if ($nav_poll) { $this->_data += $nav_poll; } @@ -59,7 +65,7 @@ public function __construct(IMP_Ftree $ftree) */ public function shutdown() { - $GLOBALS['prefs']->setValue('nav_poll', serialize($this->_data)); + $GLOBALS['prefs']->setValue('nav_poll', json_encode($this->_data, JSON_FORCE_OBJECT)); } /** diff --git a/lib/LoginTasks/SystemTask/Upgrade.php b/lib/LoginTasks/SystemTask/Upgrade.php index 31112f9e3..4730b60e3 100644 --- a/lib/LoginTasks/SystemTask/Upgrade.php +++ b/lib/LoginTasks/SystemTask/Upgrade.php @@ -344,7 +344,10 @@ protected function _upgradeVirtualFolders() $vfolders = $prefs->getValue('vfolder'); if (!empty($vfolders)) { - $vfolders = @unserialize($vfolders); + $vfolders = @unserialize($vfolders, array('allowed_classes' => array( + 'IMP_Search_Vfolder_Vinbox', + 'IMP_Search_Vfolder_Vtrash', + ))); } if (empty($vfolders) || !is_array($vfolders)) { @@ -577,7 +580,7 @@ protected function _upgradeStationeryToTemplates() { global $injector, $prefs; - $slist = @unserialize($prefs->getValue('stationery')); + $slist = @unserialize($prefs->getValue('stationery'), array('allowed_classes' => false)); if (is_array($slist)) { /* Old entry format: * 'c' => (string) Content diff --git a/lib/Prefs/Sort.php b/lib/Prefs/Sort.php index 26c46766f..0710b0b67 100644 --- a/lib/Prefs/Sort.php +++ b/lib/Prefs/Sort.php @@ -39,7 +39,12 @@ public function __construct() { global $prefs; - $sortpref = @unserialize($prefs->getValue(self::SORTPREF)); + $value = $prefs->getValue(self::SORTPREF); + $sortpref = $value ? json_decode($value, true) : array(); + if (null === $sortpref && json_last_error() === JSON_ERROR_SYNTAX) { + // TODO: Remove backward compatibility with stored values + $sortpref = @unserialize($value, array('allowed_classes' => false)); + } if (is_array($sortpref)) { $this->_sortpref = $sortpref; } @@ -106,7 +111,7 @@ public function newSortbyValue($sortby) */ protected function _save() { - $GLOBALS['prefs']->setValue(self::SORTPREF, serialize($this->_sortpref)); + $GLOBALS['prefs']->setValue(self::SORTPREF, json_encode($this->_sortpref, JSON_FORCE_OBJECT)); } /* ArrayAccess methods. */ diff --git a/lib/Remote.php b/lib/Remote.php index ec3b7bb5a..9843599dc 100644 --- a/lib/Remote.php +++ b/lib/Remote.php @@ -37,7 +37,9 @@ class IMP_Remote implements ArrayAccess, IteratorAggregate */ public function __construct() { - $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote')) ?: array(); + $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote'), array('allowed_classes' => array( + 'IMP_Remote_Account', + ))) ?: array(); } /** diff --git a/lib/Search.php b/lib/Search.php index 06c4415ec..ca4130051 100644 --- a/lib/Search.php +++ b/lib/Search.php @@ -206,7 +206,15 @@ class_exists($cname)) { } if ($f_list = $GLOBALS['prefs']->getValue('filter')) { - $f_list = @unserialize($f_list); + $f_list = @unserialize($f_list, array('allowed_classes' => array( + 'IMP_Search_Filter', + 'IMP_Search_Filter_Personal', + 'IMP_Search_Filter_Attachment', + 'IMP_Search_Filter_Autogenerated', + 'IMP_Search_Filter_Contacts', + 'IMP_Search_Filter_Bulk', + 'IMP_Search_Filter_Mailinglist', + ))); if (is_array($f_list)) { foreach ($f_list as $val) { if ($val instanceof IMP_Search_Filter) { @@ -296,7 +304,10 @@ class_exists($cname)) { } if ($pref_vf = $GLOBALS['prefs']->getValue('vfolder')) { - $pref_vf = @unserialize($pref_vf); + $pref_vf = @unserialize($pref_vf, array('allowed_classes' => array( + 'IMP_Search_Vfolder_Vinbox', + 'IMP_Search_Vfolder_Vtrash', + ))); if (is_array($pref_vf)) { foreach ($pref_vf as $val) { if ($val instanceof IMP_Search_Vfolder) {