[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous serialized strings

WordPress Trac wp-trac at lists.automattic.com
Fri Mar 24 04:48:04 GMT 2006

#2591: users can enter dangerous serialized strings
       Id:  2591       |      Status:  new                     
Component:  Security   |    Modified:  Fri Mar 24 04:48:04 2006
 Severity:  normal     |   Milestone:  2.1                     
 Priority:  normal     |     Version:  2.0.2                   
    Owner:  anonymous  |    Reporter:  random                  
Comment (by markjaquith):

 I'm testing out the uploaded patch on a local SVN test install.  It
 serializes in update_option() and add_option() in every case (not just
 object and array).

 Problem: using the secret "options.php" page will destroy your options
 table.  The serialized strings are re-serialized, and serialized arrays
 are serialized as a string.  We'll have to make a special case for this
 page, and skip serialization.

Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list