Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
There are security problems when using serialized arrays in PHP code.
JSON data storage is a requirement of Drupal 10: https://www.drupal.org/node/3192484
Proposed resolution
Change all stored data to use JSON instead of serialized arrays.
Remaining tasks
Convert to JSON data storage.Update D7 migrations to support JSON for compatibility with #3273408.- Confirm test coverage for entity data stored in both the v1 and v2 field formats.
- Add an update script to update stored entity data.
- Add test coverage for the update script.
User interface changes
None.
API changes
TBD
Data model changes
TBD
Comment | File | Size | Author |
---|---|---|---|
#44 | metatag-n3272768-44.patch | 26.36 KB | DamienMcKenna |
#42 | metatag-n3272768-42.patch | 23.46 KB | DamienMcKenna |
#42 | metatag-n3272768-42.interdiff.txt | 2.51 KB | DamienMcKenna |
#37 | metatag-n3272768-37.patch | 21.29 KB | DamienMcKenna |
#34 | metatag-n3272768-34.interdiff.txt | 1.02 KB | DamienMcKenna |
Issue fork metatag-3272768
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
DamienMcKennaCould/should we do this on D7 too?
Comment #3
DamienMcKennaComment #4
DamienMcKennaFYI the TMGMT module made this change: #3065597
Comment #5
DamienMcKennaComment #6
DamienMcKennaWIP, untested.
Comment #7
DamienMcKennaI think we should go the additional step and store the data as a JSON field rather than just store it as a different string format, that would give us the most benefit.
Comment #8
DamienMcKennaThe migration logic needs to support both Metatag 7.x-1-x-style serialized arrays and Metatag 7.x-2.x-style JSON data.
Comment #9
DamienMcKennaSome fixes.
Comment #11
SandeepSingh199 CreditAttribution: SandeepSingh199 at Srijan | A Material+ Company for Drupal India Association commentedfixed the #9 php error. also attached interdiff_9_10.txt
Comment #12
DamienMcKennaThis should fix some of the test failures.
Comment #14
DamienMcKennaThis should fix the last error.
Comment #15
DamienMcKennaExcellent.
I've updated the Remaining Tasks list:
Comment #16
DamienMcKennaNote: this doesn't change the underlying field itself, it just changes how the data is stored in the field.
Comment #17
DamienMcKennaDid some manual testing and it works well, it's nice having the data stored in JSON format instead of serialized arrays.
Comment #18
DamienMcKennaSeeing how this would work if it didn't serialize the data..
Comment #19
DamienMcKennaRerolled.
Comment #20
DamienMcKennaI suspect we might need #3320031: Add a new field for storing raw JSON data (D9) before we can handle JSON all the way down..
Comment #22
DamienMcKennaThis is #14 rerolled, with a fix for an unwanted second argument to Json::decode().
Comment #24
DamienMcKennaComment #25
DamienMcKennaDoes this fix it?
Comment #27
DamienMcKennaOne more..
Comment #28
DamienMcKennaWoot.
Let's set up the D7 migration to have a JSON-encoded value alongside a serialized value.
Comment #30
DamienMcKennaOffload the migration decoder logic to a separate method, and mirror the code from D7.
Comment #31
DamienMcKennaNice!
That's two items down, now to do update scripts.
Comment #32
DamienMcKennaLet's make backwards compatibility a little easier by adding the same global function that the D7 issue uses. Yes, a function.
Comment #33
DamienMcKennaWIP update script, not running the tests because there's no test coverage for that bit yet. This also reverts the changes to the info file.
Comment #34
DamienMcKennaFixed some typoos.
Comment #35
DamienMcKennaAfter doing some testing I've confirmed that on D8+ the configuration items do not need to be modified, they're stored as a single object with multiple values in the "tags" element instead of those values being stored as a serialized array. That means we don't need to update the configuration. Woot.
Comment #36
DamienMcKennaComment #37
DamienMcKennaRerolled.
Comment #39
DamienMcKennaThe test failures are because of WebProfiler, see #3323467 for details.
All that's left is to finish up the update script.
Comment #40
DamienMcKennaI think we need test coverage to make sure that data loads correctly in both the v1 and v2 field formats, to make sure that sites don't break while the update scripts are running.
Comment #41
DamienMcKennaWe need test coverage for the update script too.
Comment #42
DamienMcKennaFixed update script.
Comment #43
DamienMcKennaI can't upload the tests for the update script because it includes a fixture that has a change to the "entity.definitions.installed" and "entity.definitions.installed" key_value records, which include serialized objects, and git thinks the files are binaries and won't output them in the patch file.
Comment #44
DamienMcKennaRerolled.
Comment #46
DamienMcKennaAnd the tests pass! Woot!
Comment #48
DamienMcKennaCommitted.
Comment #49
DamienMcKenna