MAGETWO-95386: Fixed incorrect design expretions functional

roman · roman · commit 349d0c53ea2e · 2018-10-29T15:40:33.000+02:00
diff --git a/app/code/Magento/Theme/Model/Design/Backend/Exceptions.php b/app/code/Magento/Theme/Model/Design/Backend/Exceptions.php
@@ -6,6 +6,9 @@
 namespace Magento\Theme\Model\Design\Backend;
 
 use Magento\Config\Model\Config\Backend\Serialized\ArraySerialized;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Unserialize\SecureUnserializer;
+use Psr\Log\LoggerInterface;
 
 class Exceptions extends ArraySerialized
 {
@@ -16,6 +19,11 @@ class Exceptions extends ArraySerialized
      */
     protected $_design = null;
 
+    /**
+     * @var SecureUnserializer
+     */
+    private $secureUnserializer;
+
     /**
      * Initialize dependencies
      *
@@ -26,6 +34,7 @@ class Exceptions extends ArraySerialized
      * @param \Magento\Framework\View\DesignInterface $design
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
+     * @param SecureUnserializer|null $secureUnserializer
      * @param array $data
      */
     public function __construct(
@@ -36,9 +45,12 @@ public function __construct(
         \Magento\Framework\View\DesignInterface $design,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
+        SecureUnserializer $secureUnserializer = null,
         array $data = []
     ) {
         $this->_design = $design;
+        $this->secureUnserializer = $secureUnserializer ?:
+            ObjectManager::getInstance()->create(SecureUnserializer::class);
         parent::__construct($context, $registry, $config, $cacheTypeList, $resource, $resourceCollection, $data);
     }
 
@@ -155,6 +167,24 @@ public function afterLoad()
      */
     public function getValue()
     {
-        return $this->getData('value') ?: [];
+        return $this->validateValue($this->getData('value')) ?: [];
+    }
+
+    private function validateValue($value)
+    {
+        try {
+            if (is_string($value)) {
+                $this->secureUnserializer->unserialize($value);
+            }
+
+            if (is_object($value)) {
+                $value = false;
+            }
+        } catch (\InvalidArgumentException $e) {
+            $this->_logger->critical($e->getMessage());
+            $value = false;
+        }
+
+        return $value;
     }
 }
diff --git a/lib/internal/Magento/Framework/Unserialize/SecureUnserializer.php b/lib/internal/Magento/Framework/Unserialize/SecureUnserializer.php
@@ -26,6 +26,10 @@ public function unserialize($string)
             throw new \InvalidArgumentException('Data contains serialized object and cannot be unserialized');
         }
 
-        return unserialize($string);
+        try {
+            return unserialize($string);
+        } catch (\Exception $e) {
+            return false;
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,10 @@ public function unserialize($string)`
`26`	`26`	`throw new \InvalidArgumentException('Data contains serialized object and cannot be unserialized');`
`27`	`27`	`}`
`28`	`28`
`29`		`- return unserialize($string);`
	`29`	`+ try {`
	`30`	`+ return unserialize($string);`
	`31`	`+ } catch (\Exception $e) {`
	`32`	`+ return false;`
	`33`	`+ }`
`30`	`34`	`}`
`31`	`35`	`}`