From 5bc561ee7ad31b769815821280f8a3f5bd69c31b Mon Sep 17 00:00:00 2001
From: Paul Holden <paulh@moodle.com>
Date: Mon, 21 Jun 2021 09:29:07 +0100
Subject: [PATCH] MDL-71957 auth_shibboleth: safer session retrieval during
 logout.

---
 auth/shibboleth/classes/helper.php | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/auth/shibboleth/classes/helper.php b/auth/shibboleth/classes/helper.php
index c1d57057509..0e99d199957 100644
--- a/auth/shibboleth/classes/helper.php
+++ b/auth/shibboleth/classes/helper.php
@@ -113,11 +113,22 @@ class helper {
      */
     private static function unserializesession($serializedstring) {
         $variables = array();
-        $a = preg_split("/(\w+)\|/", $serializedstring, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE);
-        $counta = count($a);
-        for ($i = 0; $i < $counta; $i = $i + 2) {
-            $variables[$a[$i]] = unserialize($a[$i + 1]);
+
+        $index = 0;
+
+        // Find next delimiter after current index. It's key being the characters between those points.
+        while ($delimiterpos = strpos($serializedstring, '|', $index)) {
+            $key = substr($serializedstring, $index, $delimiterpos - $index);
+
+            // Start unserializing immediately after the delimiter. PHP will read as much valid data as possible.
+            $value = unserialize(substr($serializedstring, $delimiterpos + 1),
+                ['allowed_classes' => ['stdClass']]);
+            $variables[$key] = $value;
+
+            // Advance index beyond the length of the previously captured serialized value.
+            $index = $delimiterpos + 1 + strlen(serialize($value));
         }
+
         return $variables;
     }
 }