summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2017-09-25 13:39:34 +0200
committerAndrey Andreev <narf@devilix.net>2017-09-25 13:39:34 +0200
commit88c1a597360f5b63371c119b64e913c9238c75b8 (patch)
tree564ea22a14e7a105c6e36d68cd90ad6284d7b2f5
parente8eb86764955c9c904b50db7c12a3be73c627406 (diff)
[ci skip] Fix potential object injection in apc cache driver; deprecate the apc driver
-rw-r--r--system/libraries/Cache/drivers/Cache_apc.php48
-rw-r--r--user_guide_src/source/changelog.rst5
2 files changed, 27 insertions, 26 deletions
diff --git a/system/libraries/Cache/drivers/Cache_apc.php b/system/libraries/Cache/drivers/Cache_apc.php
index f2b61adb1..c873eb640 100644
--- a/system/libraries/Cache/drivers/Cache_apc.php
+++ b/system/libraries/Cache/drivers/Cache_apc.php
@@ -80,14 +80,7 @@ class CI_Cache_apc extends CI_Driver {
$success = FALSE;
$data = apc_fetch($id, $success);
- if ($success === TRUE)
- {
- return is_array($data)
- ? unserialize($data[0])
- : $data;
- }
-
- return FALSE;
+ return ($success === TRUE) ? $data : FALSE;
}
// ------------------------------------------------------------------------
@@ -98,18 +91,12 @@ class CI_Cache_apc extends CI_Driver {
* @param string $id Cache ID
* @param mixed $data Data to store
* @param int $ttl Length of time (in seconds) to cache the data
- * @param bool $raw Whether to store the raw value
+ * @param bool $raw Whether to store the raw value (unused)
* @return bool TRUE on success, FALSE on failure
*/
public function save($id, $data, $ttl = 60, $raw = FALSE)
{
- $ttl = (int) $ttl;
-
- return apc_store(
- $id,
- ($raw === TRUE ? $data : array(serialize($data), time(), $ttl)),
- $ttl
- );
+ return apc_store($id, $data, (int) $ttl);
}
// ------------------------------------------------------------------------
@@ -188,21 +175,30 @@ class CI_Cache_apc extends CI_Driver {
*/
public function get_metadata($id)
{
- $success = FALSE;
- $stored = apc_fetch($id, $success);
-
- if ($success === FALSE OR count($stored) !== 3)
+ $cache_info = apc_cache_info('user', FALSE);
+ if (empty($cache_info) OR empty($cache_info['cache_list']))
{
return FALSE;
}
- list($data, $time, $ttl) = $stored;
+ foreach ($cache_info['cache_list'] as &$entry)
+ {
+ if ($entry['info'] !== $id)
+ {
+ continue;
+ }
+
+ $success = FALSE;
+ $metadata = array(
+ 'expire' => ($entry['ttl'] ? $entry['mtime'] + $entry['ttl'] : 0),
+ 'mtime' => $entry['ttl'],
+ 'data' => apc_fetch($id, $success)
+ );
+
+ return ($success === TRUE) ? $metadata : FALSE;
+ }
- return array(
- 'expire' => $time + $ttl,
- 'mtime' => $time,
- 'data' => unserialize($data)
- );
+ return FALSE;
}
// ------------------------------------------------------------------------
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 055e2d08c..dcfe7b481 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -7,8 +7,13 @@ Version 3.1.6
Release Date: Not Released
+- **Security**
+
+ - Fixed a potential object injection in :doc:`Cache Library <libraries/caching>` 'apc' driver when ``save()`` is used with ``$raw = TRUE`` (thanks to Tomas Bortoli).
+
- General Changes
+ - Deprecated :doc:`Cache Library Library <libraries/caching>` driver 'apc'.
- Updated the :doc:`Session Library <libraries/sessions>` 'redis', 'memcached' drivers to reduce the potential of a locking race conditions.