[wp-trac] [WordPress Trac] #37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+

WordPress Trac noreply at wordpress.org
Mon Sep 11 15:42:44 UTC 2017 

#37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on
PHP 7+
--------------------------------------+------------------------------
 Reporter:  chrisguitarguy            |       Owner:
     Type:  enhancement               |      Status:  new
 Priority:  normal                    |   Milestone:  Awaiting Review
Component:  Security                  |     Version:
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+------------------------------

Comment (by NathanAtmoz):

 Replying to [comment:4 iandunn]:
 > Would this need to be a filter (like in the ticket description) in order
 to be useful? Most calls to `maybe_unserialize()` are done internally by
 WP (e.g., inside `get_option()`), rather than directly by plugins, so I'm
 not sure how plugins or site admins would be able to take advantage of the
 extra parameter setup in [attachment:ticket-37757.2.patch], unless they
 started bypassing the API and calling it directly, which I don't think we
 want to encourage.

 I can see the reasoning behing wanting this to be a filterable option. But
 adding a filter to allowed classes seems like a bad idea to me. This would
 allow an arbitrary plugin or theme to basically 'reset' the allowed
 classes to accept all classes.

 {{{#!php
 <?php
   add_filter( 'unserialization_options', '__return_true', 99999999 );
 }}}

 Instead of one filter to control all unserialization options, I think it'd
 be better to introduce the `unserialization_options_{$option}` filter. So,
 e.g. in `get_option()` we would add the unserialization options filter
 just before returning the options.

 {{{#!php
 <?php
   $unserialization_options = apply_filters(
 "unserialization_options_{$option}", true, $option );
   return apply_filters( "option_{$option}", maybe_unserialize( $value,
 $unserialization_options ), $option );
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37757#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list