[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous serialized strings

WordPress Trac wp-trac at lists.automattic.com
Fri Mar 24 03:53:38 GMT 2006

#2591: users can enter dangerous serialized strings
       Id:  2591       |      Status:  new                     
Component:  Security   |    Modified:  Fri Mar 24 03:53:38 2006
 Severity:  normal     |   Milestone:  2.1                     
 Priority:  normal     |     Version:  2.0.2                   
    Owner:  anonymous  |    Reporter:  random                  
Comment (by markjaquith):

 As long as plugins are using the API, it should be fine.  I can think of
 one place in WP where the API is not used, (direct query in wp-
 settings.php:123) but it just checks that there is a value, it doesn't use
 the value itself.

 As for upgrading of existing strings, couldn't we just let it happen
 naturally?  We'd still be passing stuff through the "maybe unserialize"
 function, so it'd just get upgraded whenever it was updated.

Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list