[wp-trac] [WordPress Trac] #17375: Serialzed option values broken for classes and strings on unserialize for C and S

WordPress Trac wp-trac at lists.automattic.com
Fri Jun 10 02:03:17 UTC 2011


#17375: Serialzed option values broken for classes and strings on unserialize for C
and S
--------------------------+--------------------------
 Reporter:  hakre         |       Owner:  markjaquith
     Type:  defect (bug)  |      Status:  reviewing
 Priority:  normal        |   Milestone:  3.2
Component:  General       |     Version:  3.1
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |
--------------------------+--------------------------

Comment (by dd32):

 went on a hunt for the S modifier.

 Lead me to this changeset in php:
 [http://svn.php.net/viewvc?view=revision&revision=225029 phprev 225029]
 which suggests it was for PHP6(5.3?) future compatibility, which then lead
 to [http://svn.php.net/viewvc?view=revision&revision=232476 phprev
 232476], which finally gives us a [http://www.php-
 security.org/MOPB/MOPB-29-2007.html security report about the 'S'
 modifer].

 > With PHP 5.2.1 the new S: data type was added to unserialize(). It is
 meant as compatibility layer for exchange of serialized data with future
 PHP 6. The data type itself is similar to the normal s: string data type
 with the exception that simple escaped bytes are supported. The following
 string is an example.

 With PHP6 never being released, AFAIK, there are no cases where the S data
 type should be created by PHP, looking through
 [http://svn.php.net/viewvc/php/php-
 src/branches/PHP_5_3/ext/standard/var.c?view=markup PHP 5.3's branch's
 var.c] seems to validate that.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17375#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list