From 7f97484dafd8e70b73ee1e1b1767399f2cd5a3e6 Mon Sep 17 00:00:00 2001
From: mainframe98 <k.s.werf@hotmail.com>
Date: Wed, 24 Jan 2018 20:51:34 +0100
Subject: [PATCH] SECURITY: Don't query API with format=php

This requires unserialization of potentially unsafe php code,
which is dangerous, even if the source is trusted.
Because the default configuration does not use https when
querying the API, this causes a security vulnerability.

Bug: T185652
---
 AutoProxyBlock.body.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/AutoProxyBlock.body.php b/AutoProxyBlock.body.php
index 115df1d..9f2e307 100644
--- a/AutoProxyBlock.body.php
+++ b/AutoProxyBlock.body.php
@@ -112,12 +112,12 @@ class AutoProxyBlock {
 	}
  
 	static function requestForeignAPI( $url, $options ) {
-		$url .= '?format=php';
-		foreach($options as $param => $value) {
+		$url .= '?format=json';
+		foreach( $options as $param => $value ) {
 			$url .= '&'.$param.'='.$value;
 		}
 		
-		$content = Http::get($url);
-		return unserialize($content);
+		$content = Http::get( $url );
+		return json_decode( $content );
 	}
 }
-- 
2.16.0.windows.2