[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous
serialized strings
WordPress Trac
wp-trac at lists.automattic.com
Fri Mar 24 22:50:49 GMT 2006
#2591: users can enter dangerous serialized strings
-------------------------+--------------------------------------------------
Id: 2591 | Status: assigned
Component: Security | Modified: Fri Mar 24 22:50:49 2006
Severity: normal | Milestone: 2.1
Priority: normal | Version: 2.0.2
Owner: markjaquith | Reporter: random
-------------------------+--------------------------------------------------
Comment (by random):
Instead of throwing an error if is_serialized() is true, that string could
be double-serialized -- I mean, if I self-identify as a serialized array,
who are you to stop me putting that in my bio? ;)
Seriously though, I think the Right way is to ensure that something saved
as a string isn't unserialized, not to put a fence up to keep certain
types of strings out. Short of an ugly meta_value_type column I don't see
a non-hackish way to do that, though, so +1 for Mark's latest patch.
David, running unserialize() on everything kind of defeats the purpose of
having an is_serialized() function at all. :)
--
Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list