[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous
serialized strings
WordPress Trac
wp-trac at lists.automattic.com
Fri Mar 24 09:17:49 GMT 2006
#2591: users can enter dangerous serialized strings
-------------------------+--------------------------------------------------
Id: 2591 | Status: assigned
Component: Security | Modified: Fri Mar 24 09:17:49 2006
Severity: normal | Milestone: 2.1
Priority: normal | Version: 2.0.2
Owner: markjaquith | Reporter: random
-------------------------+--------------------------------------------------
Comment (by markjaquith):
You know what? Serializing everything is really more trouble than it is
worth. It will break dozens of plugins, and make troubleshooting a
nightmare. Manually editing the options table will be a hellish
experience.
The problem (i.e. the security risk) is this: serialized objects/arrays
are inserted into the database as simple text, but are interpreted as
objects/arrays when coming out. We need to recognize when someone is
trying to do that, and block it.
So what we need is a function that can detect serialized data WITHOUT
doing an acual unserialize test on it. I've seen several GPL functions
that do that, using various techniques. So what I'm going to do is find
all such GPL functions, merge them (if necessary) and use that
is_serialized() check for the update/add/delete functions so that it
rejects serialized data. Next, I'll need to make changes to options.php
and post meta so that it doesn't display serialized data. For example,
the feeds that are stored in the options table show up in options.php, and
you can save them. Honestly, serialized data is a bear to edit, and I
really don't think anyone is going to miss it if we just have the value
field deactivated and maybe write "array" or "object" and ignore those
fields on update.
How's that sound? I just really don't think that serializing plain text
strings is a good move in terms of usability and backwards compatability.
--
Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list