Merge MAGETWO-95386 into 2.1.16-bugfixes-311018

Author: dvoskoboinikov

app/code/Magento/Theme/Model/Design/Backend/Exceptions.php

@@ -6,6 +6,8 @@
 namespace Magento\Theme\Model\Design\Backend;
 
 use Magento\Config\Model\Config\Backend\Serialized\ArraySerialized;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Unserialize\SecureUnserializer;
 
 class Exceptions extends ArraySerialized
 {
@@ -16,6 +18,11 @@ class Exceptions extends ArraySerialized
      */
     protected $_design = null;
 
+    /**
+     * @var SecureUnserializer
+     */
+    private $secureUnserializer;
+
     /**
      * Initialize dependencies
      *
@@ -26,6 +33,7 @@ class Exceptions extends ArraySerialized
      * @param \Magento\Framework\View\DesignInterface $design
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
+     * @param SecureUnserializer|null $secureUnserializer
      * @param array $data
      */
     public function __construct(
@@ -36,9 +44,12 @@ public function __construct(
         \Magento\Framework\View\DesignInterface $design,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
+        SecureUnserializer $secureUnserializer = null,
         array $data = []
     ) {
         $this->_design = $design;
+        $this->secureUnserializer = $secureUnserializer ?:
+            ObjectManager::getInstance()->create(SecureUnserializer::class);
         parent::__construct($context, $registry, $config, $cacheTypeList, $resource, $resourceCollection, $data);
     }
 
@@ -155,6 +166,26 @@ public function afterLoad()
      */
     public function getValue()
     {
-        return $this->getData('value') ?: [];
+        return $this->validateValue($this->getData('value')) ?: [];
+    }
+
+    /**
+     * Validate config on appropriate value
+     *
+     * @param string $value
+     * @return bool
+     */
+    private function validateValue($value)
+    {
+        try {
+            if (is_string($value)) {
+                $this->secureUnserializer->unserialize($value);
+            }
+        } catch (\InvalidArgumentException $e) {
+            $this->_logger->critical($e->getMessage());
+            $value = false;
+        }
+
+        return $value;
     }
 }

lib/internal/Magento/Framework/Unserialize/SecureUnserializer.php

@@ -26,6 +26,10 @@ public function unserialize($string)
             throw new \InvalidArgumentException('Data contains serialized object and cannot be unserialized');
         }
 
-        return unserialize($string);
+        try {
+            return unserialize($string);
+        } catch (\Exception $e) {
+            return false;
+        }
     }
 }

lib/internal/Magento/Framework/View/DesignExceptions.php

@@ -5,6 +5,10 @@
  */
 namespace Magento\Framework\View;
 
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Unserialize\SecureUnserializer;
+use Psr\Log\LoggerInterface;
+
 /**
  * Class DesignExceptions
  */
@@ -31,19 +35,36 @@ class DesignExceptions
      */
     protected $scopeType;
 
+    /**
+     * @var SecureUnserializer
+     */
+    private $secureUnserializer;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     /**
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
      * @param string $exceptionConfigPath
      * @param string $scopeType
+     * @param SecureUnserializer|null $secureUnserializer
+     * @param LoggerInterface|null $logger
      */
     public function __construct(
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
         $exceptionConfigPath,
-        $scopeType
+        $scopeType,
+        SecureUnserializer $secureUnserializer = null,
+        LoggerInterface $logger = null
     ) {
         $this->scopeConfig = $scopeConfig;
         $this->exceptionConfigPath = $exceptionConfigPath;
         $this->scopeType = $scopeType;
+        $this->secureUnserializer = $secureUnserializer ?:
+            ObjectManager::getInstance()->create(SecureUnserializer::class);
+        $this->logger = $logger ?: ObjectManager::getInstance()->create(LoggerInterface::class);
     }
 
     /**
@@ -65,12 +86,20 @@ public function getThemeByRequest(\Magento\Framework\App\Request\Http $request)
         if (!$expressions) {
             return false;
         }
-        $expressions = unserialize($expressions);
+
+        try {
+            $expressions = $this->secureUnserializer->unserialize($expressions);
+        } catch (\InvalidArgumentException $e) {
+            $this->logger->critical($e->getMessage());
+            return false;
+        }
+
         foreach ($expressions as $rule) {
             if (preg_match($rule['regexp'], $userAgent)) {
                 return $rule['value'];
             }
         }
+
         return false;
     }
 }

lib/internal/Magento/Framework/View/Test/Unit/DesignExceptionsTest.php

@@ -7,6 +7,7 @@
 namespace Magento\Framework\View\Test\Unit;
 
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\Framework\Unserialize\SecureUnserializer;
 
 class DesignExceptionsTest extends \PHPUnit_Framework_TestCase
 {
@@ -28,18 +29,21 @@ class DesignExceptionsTest extends \PHPUnit_Framework_TestCase
     /** @var string */
     protected $scopeType = 'scope_type';
 
+    private $secureUnserializer;
+
     protected function setUp()
     {
         $this->scopeConfigMock = $this->getMock('Magento\Framework\App\Config\ScopeConfigInterface');
         $this->requestMock = $this->getMock('Magento\Framework\App\Request\Http', [], [], '', false);
-
         $this->objectManagerHelper = new ObjectManagerHelper($this);
+        $this->secureUnserializer = $this->objectManagerHelper->getObject(SecureUnserializer::class);
         $this->designExceptions = $this->objectManagerHelper->getObject(
             'Magento\Framework\View\DesignExceptions',
             [
                 'scopeConfig' => $this->scopeConfigMock,
                 'exceptionConfigPath' => $this->exceptionConfigPath,
-                'scopeType' => $this->scopeType
+                'scopeType' => $this->scopeType,
+                'secureUnserializer' => $this->secureUnserializer,
             ]
         );
     }