[wp-trac] [WordPress Trac] #25311: Replace PHP-serialized data with JSON in api.wordpress.org
WordPress Trac
noreply at wordpress.org
Fri Sep 13 15:00:24 UTC 2013
#25311: Replace PHP-serialized data with JSON in api.wordpress.org
--------------------------------+------------------------------
Reporter: scribu | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: WordPress.org site | Version:
Severity: normal | Resolution:
Keywords: |
--------------------------------+------------------------------
Description changed by scribu:
Old description:
> Returning PHP-serialized strings in api.wordpress.org is lame, for two
> reasons:
>
> ### Security
>
> It has the potential to lead to security exploits via PHP object
> injection: http://vagosec.org/2013/09/wordpress-php-object-injection/
>
> Considering that Core doesn't use HTTPS for most requests it makes to
> api.wordpress.org, this is even more plausible.
>
> ### Portability
>
> It's hard to unserialize these strings in other languages besides PHP.
> JSON is the obvious replacement.
>
> Related: #meta124
New description:
Returning PHP-serialized strings in api.wordpress.org is lame, for two
reasons:
== Security ==
It has the potential to lead to security exploits via PHP object
injection: http://vagosec.org/2013/09/wordpress-php-object-injection/
Considering that Core doesn't use HTTPS for most requests it makes to
api.wordpress.org, this is even more plausible.
== Portability ==
It's hard to unserialize these strings in other languages besides PHP.
JSON is the obvious replacement.
Related: #meta124
--
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25311#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list