diff --git a/lib/Compose.php b/lib/Compose.php index ff8e90c90..a81cdc4a0 100644 --- a/lib/Compose.php +++ b/lib/Compose.php @@ -839,7 +839,7 @@ public function buildAndSendMessage( $headers->addUserAgentHeader(); /* Add preferred reply language(s). */ - if ($lang = @unserialize($prefs->getValue('reply_lang'))) { + if ($lang = @unserialize($prefs->getValue('reply_lang'), array('allowed_classes' => false))) { $headers->addHeader('Accept-Language', implode(',', $lang)); } diff --git a/lib/Factory/MailboxList.php b/lib/Factory/MailboxList.php index 7b71e970e..eeccf1bf3 100644 --- a/lib/Factory/MailboxList.php +++ b/lib/Factory/MailboxList.php @@ -57,7 +57,12 @@ public function create($mailbox) $mailbox = IMP_Mailbox::get($mailbox); if ($ob = $this->_getCache($mailbox)->get($key)) { - $ob = @unserialize($ob); + $ob = @unserialize($ob, array('allowed_classes' => array( + 'IMP_Mailbox_List_Virtual', + 'IMP_Mailbox_List_Pop3', + 'IMP_Mailbox_List', + 'IMP_Mailbox', + ))); } if (!$ob) { diff --git a/lib/Flags.php b/lib/Flags.php index eacf3e1e7..7b63ec3ad 100644 --- a/lib/Flags.php +++ b/lib/Flags.php @@ -71,7 +71,28 @@ public function __construct() } if ($f_list = $GLOBALS['prefs']->getValue('msgflags')) { - $f_list = @unserialize($f_list); + $f_list = @unserialize($f_list, array('allowed_classes' => array( + 'IMP_Flag_Imap_Answered', + 'IMP_Flag_Imap_Deleted', + 'IMP_Flag_Imap_Draft', + 'IMP_Flag_Imap_Flagged', + 'IMP_Flag_Imap_Forwarded', + 'IMP_Flag_Imap_Junk', + 'IMP_Flag_Imap_NotJunk', + 'IMP_Flag_Imap_Seen', + 'IMP_Flag_System_Attachment', + 'IMP_Flag_System_Encrypted', + 'IMP_Flag_System_HighPriority', + 'IMP_Flag_System_List', + 'IMP_Flag_System_LowPriority', + 'IMP_Flag_System_Personal', + 'IMP_Flag_System_Signed', + 'IMP_Flag_System_Unseen', + 'IMP_Flag_System_Match_Address', + 'IMP_Flag_System_Match_Flag', + 'IMP_Flag_System_Match_Header', + 'IMP_Flag_User', + ))); if (is_array($f_list)) { foreach ($f_list as $val) { $this->_userflags[$val->id] = $val; diff --git a/lib/Ftree/Prefs/Expanded.php b/lib/Ftree/Prefs/Expanded.php index d870f06b9..aa07ce2b5 100644 --- a/lib/Ftree/Prefs/Expanded.php +++ b/lib/Ftree/Prefs/Expanded.php @@ -41,8 +41,13 @@ public function __construct() { global $prefs; - if (($folders = @unserialize($prefs->getValue('expanded_folders'))) && - is_array($folders)) { + $value = $prefs->getValue('expanded_folders'); + $folders = $value ? json_decode($value, true) : array(); + if (null === $folders && json_last_error() === JSON_ERROR_SYNTAX) { + // TODO: Remove backward compatibility with stored values + $folders = @unserialize($value, array('allowed_classes' => false)); + } + if (is_array($folders)) { $this->_data = $folders; } @@ -54,7 +59,7 @@ public function __construct() */ public function shutdown() { - $GLOBALS['prefs']->setValue('expanded_folders', serialize($this->_data)); + $GLOBALS['prefs']->setValue('expanded_folders', json_encode($this->_data, JSON_FORCE_OBJECT)); } /** diff --git a/lib/Ftree/Prefs/Poll.php b/lib/Ftree/Prefs/Poll.php index d4a6977ea..d228fe3f5 100644 --- a/lib/Ftree/Prefs/Poll.php +++ b/lib/Ftree/Prefs/Poll.php @@ -47,7 +47,13 @@ public function __construct(IMP_Ftree $ftree) $this->_data = array('INBOX' => 1); /* Add the list of polled mailboxes from the prefs. */ - if ($nav_poll = @unserialize($prefs->getValue('nav_poll'))) { + $value = $prefs->getValue('nav_poll'); + $nav_poll = $value ? json_decode($value, true) : array(); + if (null === $nav_poll && json_last_error() === JSON_ERROR_SYNTAX) { + // TODO: Remove backward compatibility with stored values + $nav_poll = @unserialize($value, array('allowed_classes' => false)); + } + if ($nav_poll) { $this->_data += $nav_poll; } @@ -59,7 +65,7 @@ public function __construct(IMP_Ftree $ftree) */ public function shutdown() { - $GLOBALS['prefs']->setValue('nav_poll', serialize($this->_data)); + $GLOBALS['prefs']->setValue('nav_poll', json_encode($this->_data, JSON_FORCE_OBJECT)); } /** diff --git a/lib/LoginTasks/SystemTask/Upgrade.php b/lib/LoginTasks/SystemTask/Upgrade.php index cdb0c68e3..8de4fb376 100644 --- a/lib/LoginTasks/SystemTask/Upgrade.php +++ b/lib/LoginTasks/SystemTask/Upgrade.php @@ -344,7 +344,10 @@ protected function _upgradeVirtualFolders() $vfolders = $prefs->getValue('vfolder'); if (!empty($vfolders)) { - $vfolders = @unserialize($vfolders); + $vfolders = @unserialize($vfolders, array('allowed_classes' => array( + 'IMP_Search_Vfolder_Vinbox', + 'IMP_Search_Vfolder_Vtrash', + ))); } if (empty($vfolders) || !is_array($vfolders)) { @@ -573,7 +576,7 @@ protected function _upgradeStationeryToTemplates() { global $injector, $prefs; - $slist = @unserialize($prefs->getValue('stationery')); + $slist = @unserialize($prefs->getValue('stationery'), array('allowed_classes' => false)); if (is_array($slist)) { /* Old entry format: * 'c' => (string) Content diff --git a/lib/Prefs/Sort.php b/lib/Prefs/Sort.php index e2346df1e..2843c2ae3 100644 --- a/lib/Prefs/Sort.php +++ b/lib/Prefs/Sort.php @@ -39,7 +39,12 @@ public function __construct() { global $prefs; - $sortpref = @unserialize($prefs->getValue(self::SORTPREF)); + $value = $prefs->getValue(self::SORTPREF); + $sortpref = $value ? json_decode($value, true) : array(); + if (null === $sortpref && json_last_error() === JSON_ERROR_SYNTAX) { + // TODO: Remove backward compatibility with stored values + $sortpref = @unserialize($value, array('allowed_classes' => false)); + } if (is_array($sortpref)) { $this->_sortpref = $sortpref; } @@ -106,7 +111,7 @@ public function newSortbyValue($sortby) */ protected function _save() { - $GLOBALS['prefs']->setValue(self::SORTPREF, serialize($this->_sortpref)); + $GLOBALS['prefs']->setValue(self::SORTPREF, json_encode($this->_sortpref, JSON_FORCE_OBJECT)); } /* ArrayAccess methods. */ diff --git a/lib/Remote.php b/lib/Remote.php index 8bb2d8377..4be74d241 100644 --- a/lib/Remote.php +++ b/lib/Remote.php @@ -37,7 +37,9 @@ class IMP_Remote implements ArrayAccess, IteratorAggregate */ public function __construct() { - $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote')) ?: array(); + $this->_accounts = @unserialize($GLOBALS['prefs']->getValue('remote'), array('allowed_classes' => array( + 'IMP_Remote_Account', + ))) ?: array(); } /** diff --git a/lib/Search.php b/lib/Search.php index 4bab48268..8f9f815ab 100644 --- a/lib/Search.php +++ b/lib/Search.php @@ -207,7 +207,15 @@ class_exists($cname)) { } if ($f_list = $GLOBALS['prefs']->getValue('filter')) { - $f_list = @unserialize($f_list); + $f_list = @unserialize($f_list, array('allowed_classes' => array( + 'IMP_Search_Filter', + 'IMP_Search_Filter_Personal', + 'IMP_Search_Filter_Attachment', + 'IMP_Search_Filter_Autogenerated', + 'IMP_Search_Filter_Contacts', + 'IMP_Search_Filter_Bulk', + 'IMP_Search_Filter_Mailinglist', + ))); if (is_array($f_list)) { foreach ($f_list as $val) { if ($val instanceof IMP_Search_Filter) { @@ -297,7 +305,10 @@ class_exists($cname)) { } if ($pref_vf = $GLOBALS['prefs']->getValue('vfolder')) { - $pref_vf = @unserialize($pref_vf); + $pref_vf = @unserialize($pref_vf, array('allowed_classes' => array( + 'IMP_Search_Vfolder_Vinbox', + 'IMP_Search_Vfolder_Vtrash', + ))); if (is_array($pref_vf)) { foreach ($pref_vf as $val) { if ($val instanceof IMP_Search_Vfolder) {