[wp-trac] [WordPress Trac] #2591: users can enter dangerous
serialized strings
WordPress Trac
wp-trac at lists.automattic.com
Thu Mar 23 09:38:44 GMT 2006
#2591: users can enter dangerous serialized strings
-----------------------+----------------------------------------------------
Id: 2591 | Status: new
Component: Security | Modified: Thu Mar 23 09:38:44 2006
Severity: normal | Milestone: 2.1
Priority: normal | Version: 2.0.2
Owner: anonymous | Reporter: random
-----------------------+----------------------------------------------------
Users can enter serialized objects etc. as strings in (e.g.) the "first
name" field on the profile page, and these strings aren't necessarily safe
to unserialized.
For example, serialized objects run the magic _ _wakeup() function when
they're unserialized. If the PDO extension is enabled -- and it is by
default in PHP 5 -- you can cause a fatal error with this:
{{{
O:3:"PDO":0:{}
}}}
Much worse, you can enter something like:
{{{
a:100000000:{}
}}}
i.e., an array with 100,000,000 elements. PHP doesn't know they're empty,
so it starts eating up memory. In my test it crashed Apache.
Either way, it's a problem. I think it's best to add something to
maybe_unserialize(), since just sanitizing input will still leave plugins
vulnerable down the road.
I'm not adding a patch since I can only think of hacks like checking for
/^O:/ or that the number of elements doesn't go over some arbitrary limit.
Thoughts?
Maybe a type-hinting field for the setting, so something input as a string
isn't unserialized?
[http://ilia.ws/archives/107-Another-unserialize-abuse.html More info
here.]
--
Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list