[wp-trac] [WordPress Trac] #2591: users can enter dangerous serialized strings

WordPress Trac wp-trac at lists.automattic.com
Thu Mar 23 09:38:44 GMT 2006

#2591: users can enter dangerous serialized strings
       Id:  2591       |      Status:  new                     
Component:  Security   |    Modified:  Thu Mar 23 09:38:44 2006
 Severity:  normal     |   Milestone:  2.1                     
 Priority:  normal     |     Version:  2.0.2                   
    Owner:  anonymous  |    Reporter:  random                  
 Users can enter serialized objects etc. as strings in (e.g.) the "first
 name" field on the profile page, and these strings aren't necessarily safe
 to unserialized.

 For example, serialized objects run the magic _ _wakeup() function when
 they're unserialized. If the PDO extension is enabled -- and it is by
 default in PHP 5 -- you can cause a fatal error with this:


 Much worse, you can enter something like:


 i.e., an array with 100,000,000 elements. PHP doesn't know they're empty,
 so it starts eating up memory. In my test it crashed Apache.

 Either way, it's a problem. I think it's best to add something to
 maybe_unserialize(), since just sanitizing input will still leave plugins
 vulnerable down the road.

 I'm not adding a patch since I can only think of hacks like checking for
 /^O:/ or that the number of elements doesn't go over some arbitrary limit.

 Maybe a type-hinting field for the setting, so something input as a string
 isn't unserialized?

 [http://ilia.ws/archives/107-Another-unserialize-abuse.html More info

Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list