[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous serialized strings

WordPress Trac wp-trac at lists.automattic.com
Fri Mar 24 22:50:49 GMT 2006

#2591: users can enter dangerous serialized strings
       Id:  2591         |      Status:  assigned                
Component:  Security     |    Modified:  Fri Mar 24 22:50:49 2006
 Severity:  normal       |   Milestone:  2.1                     
 Priority:  normal       |     Version:  2.0.2                   
    Owner:  markjaquith  |    Reporter:  random                  
Comment (by random):

 Instead of throwing an error if is_serialized() is true, that string could
 be double-serialized -- I mean, if I self-identify as a serialized array,
 who are you to stop me putting that in my bio? ;)

 Seriously though, I think the Right way is to ensure that something saved
 as a string isn't unserialized, not to put a fence up to keep certain
 types of strings out. Short of an ugly meta_value_type column I don't see
 a non-hackish way to do that, though, so +1 for Mark's latest patch.

 David, running unserialize() on everything kind of defeats the purpose of
 having an is_serialized() function at all. :)

Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list