[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous serialized strings

WordPress Trac wp-trac at lists.automattic.com
Sat Mar 25 04:21:39 GMT 2006

#2591: users can enter dangerous serialized strings
       Id:  2591         |      Status:  assigned                
Component:  Security     |    Modified:  Sat Mar 25 04:21:39 2006
 Severity:  normal       |   Milestone:  2.1                     
 Priority:  normal       |     Version:  2.0.2                   
    Owner:  markjaquith  |    Reporter:  random                  
Comment (by markjaquith):

 Good idea, random.  I was worried about false-positives.  This way, data
 that looks to be serialized can still be stored, but won't be dangerous,
 because it's just a serialized string.  Those instances should be very
 rare.  And anyway, that data would cause problems now anyway... because
 what should be a string will come out looking like an array or an
 object... this way we preserve it as a string.

 Writing it up now.

 And David, the reason we don't want to try to unserialize it is that it
 could be a string masquerading as serialized data, like an array with 100
 million members.  the maybe_unserialize() function does just that, and
 that's what is causing this whole problem.

Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list