[wp-trac] [WordPress Trac] #37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+
WordPress Trac
noreply at wordpress.org
Sat Sep 9 17:39:38 UTC 2017
#37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on
PHP 7+
--------------------------------------+------------------------------
Reporter: chrisguitarguy | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+------------------------------
Changes (by iandunn):
* component: General => Security
Comment:
Would this need to be a filter (like in the ticket description) in order
to be useful? Most calls to `maybe_unserialize()` are done internally by
WP (e.g., inside `get_option()`), rather than directly by plugins, so I'm
not sure how plugins or site admins would be able to take advantage of the
extra parameter setup in [attachment:ticket-37757.2.patch], unless they
started bypassing the API and calling it directly, which I don't think we
want to encourage.
I think it'd also be good to keep in mind that
[https://secure.php.net/manual/en/function.unserialize.php `unserialize()`
is considered dangerous even with `allowed_classes`], so if something like
this is merged, it might be good to make it very clear in the filter
docblock that it shouldn't be considered a safe way to use
`unserialize()`, and that there's no guarantee it'll prevent
vulnerabilities; it's just extra hardening, and `unserialize()` should
still be avoided as much as possible. It's fine to use
`maybe_unserialize()` indirectly through the API, since Core keeps it
safe, but inputs should still be validated, and if a plugin needs to
directly encode non-scalar data, it should use JSON.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37757#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list