CIVI-SA-2019-21 may lead to regressions when following typehints on CRM_Core_BAO_Setting::setItem()
The last security upgrade 5.19.3 introduced a replacement for unserialize()
which does not allow PHP objects anymore.
This led to serious problems in some of our extensions that make use of CRM_Core_BAO_Setting::setItem()
for storing extension settings. Since this method explicitly expects settings values to be of type object
, those settings can not be retrieved from the database anymore.
All those extensions need an upgrader that converts objects in settings records to arrays. Unfortunately, some of those extensions, whenever the current settings are being fetched and there are no defaults, stores those defaults to the database (alongside existing settings, which are now not fetched anymore), which resulted in data loss.
Of course, that's the responsibility of the extension, but CRM_Core_BAO_Setting::setItem()
's typehinting is now wrong and should be reworked.