[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous serialized strings

WordPress Trac wp-trac at lists.automattic.com
Fri Mar 24 09:17:49 GMT 2006 

#2591: users can enter dangerous serialized strings
-------------------------+--------------------------------------------------
       Id:  2591         |      Status:  assigned                
Component:  Security     |    Modified:  Fri Mar 24 09:17:49 2006
 Severity:  normal       |   Milestone:  2.1                     
 Priority:  normal       |     Version:  2.0.2                   
    Owner:  markjaquith  |    Reporter:  random                  
-------------------------+--------------------------------------------------
Comment (by markjaquith):

 You know what?  Serializing everything is really more trouble than it is
 worth.  It will break dozens of plugins, and make troubleshooting a
 nightmare.  Manually editing the options table will be a hellish
 experience.

 The problem (i.e. the security risk) is this:  serialized objects/arrays
 are inserted into the database as simple text, but are interpreted as
 objects/arrays when coming out.  We need to recognize when someone is
 trying to do that, and block it.

 So what we need is a function that can detect serialized data WITHOUT
 doing an acual unserialize test on it.  I've seen several GPL functions
 that do that, using various techniques.  So what I'm going to do is find
 all such GPL functions, merge them (if necessary) and use that
 is_serialized() check for the update/add/delete functions so that it
 rejects serialized data.  Next, I'll need to make changes to options.php
 and post meta so that it doesn't display serialized data.  For example,
 the feeds that are stored in the options table show up in options.php, and
 you can save them.  Honestly, serialized data is a bear to edit, and I
 really don't think anyone is going to miss it if we just have the value
 field deactivated and maybe write "array" or "object" and ignore those
 fields on update.

 How's that sound?  I just really don't think that serializing plain text
 strings is a good move in terms of usability and backwards compatability.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list