[wp-trac] [WordPress Trac] #45895: maybe_unserialize: handle exceptions thrown during unserialization
WordPress Trac
noreply at wordpress.org
Thu Mar 21 23:32:57 UTC 2019
#45895: maybe_unserialize: handle exceptions thrown during unserialization
--------------------------------------+----------------------
Reporter: bluefuton | Owner: desrosj
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version:
Severity: normal | Resolution: wontfix
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+----------------------
Comment (by bluefuton):
Thanks for looking into this @desrosj!
I understand your `wontfix` decision here, but just wanted to add some
additional details in case someone returns to this one.
The exception I saw was thrown in PHP 7.2.13 and it was definitely during
unserialization. Using the code in the description, I received:
{{{
object(Exception)#1 (7) {
["message":protected]=>
string(52) "Unserialization of 'SimpleXMLElement' is not allowed"
["string":"Exception":private]=>
string(0) ""
["code":protected]=>
int(0)
["file":protected]=>
string(25) "/home/wpcom/test-php7.php"
["line":protected]=>
int(7)
["trace":"Exception":private]=>
array(1) {
[0]=>
array(4) {
["file"]=>
string(25) "/home/wpcom/test-php7.php"
["line"]=>
int(7)
["function"]=>
string(11) "unserialize"
["args"]=>
array(1) {
[0]=>
string(28) "O:16:"SimpleXMLElement":0:{}"
}
}
}
["previous":"Exception":private]=>
NULL
}
NULL
}}}
We encountered this on WordPress.com in a place where we unserialize post
meta. One site had an empty SimpleXMLElement serialized in post meta
(apparently created by a site importer). We now handle the exception
outside of `maybe_serialize` in that scenario.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45895#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list