[wp-trac] [WordPress Trac] #59233: Improve error handling for unserialize()
WordPress Trac
noreply at wordpress.org
Mon Aug 28 23:47:32 UTC 2023
#59233: Improve error handling for unserialize()
-------------------------------+--------------------
Reporter: jrf | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone: 6.4
Component: General | Version:
Severity: normal | Keywords: php83
Focuses: php-compatibility |
-------------------------------+--------------------
From https://core.trac.wordpress.org/ticket/59231:
> === [https://wiki.php.net/rfc/unserialize_warn_on_trailing_data Make
unserialize() emit a warning for trailing bytes]
>
> While based on the current test suite, WP is not ''directly'' affected
by this, the
[https://developer.wordpress.org/reference/functions/maybe_unserialize/
`maybe_unserialize()`] function could still be confronted by data with
trailing bytes.
>
> However, the call to the PHP native `unserialize()` within
`maybe_unserialize()` silences all (PHP 8.0+: non-fatal) errors, so this
new warning will not affect WP or its ecosystem as long as the
`maybe_unserialize()` function is used.
>
> Having said that, a critical look at `maybe_unserialize()` may be
warranted as the new warning in PHP is related to security issues
discovered in other projects, so WP may want to consider rejecting
unserialization for data throwing this warning.
>
> Also note that there are 7 uses of `unserialize()` in total within WP
Core, one within `maybe_unserialize()`, but the function is also used in 6
other places and 5 of those do not use error silencing.
>
>
> === [https://wiki.php.net/rfc/improve_unserialize_error_handling Improve
unserialize() error handling]
>
> This, again, affects the
[https://developer.wordpress.org/reference/functions/maybe_unserialize/
`maybe_unserialize()`] function and this time, the code should probably be
adjusted to handle the new errors which `unserialize()` can now throw.
>
> The change does not affect unserializing valid data, but in the case of
invalid data, the type of and severity of the notices/warnings/catchable
exceptions have been changed.
>
> All 7 uses of `unserialize()` in WP Core should be reviewed and for the
6 uses outside of the `maybe_unserialize()` function, it should be
reviewed whether they can/should switch to using `maybe_unserialize()`
and/or whether they should get their own (improved) error handling.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59233>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list