[wp-trac] Re: [WordPress Trac] #2591: users can enter dangerous
serialized strings
WordPress Trac
wp-trac at lists.automattic.com
Sat Mar 25 12:08:54 GMT 2006
#2591: users can enter dangerous serialized strings
-------------------------+--------------------------------------------------
Id: 2591 | Status: assigned
Component: Security | Modified: Sat Mar 25 12:08:54 2006
Severity: normal | Milestone: 2.1
Priority: normal | Version: 2.0.2
Owner: markjaquith | Reporter: random
-------------------------+--------------------------------------------------
Comment (by markjaquith):
Latest patch does the following:
* Strings that appear to be already serialized data are serialized again,
when adding/updating the meta/option
* Serialized strings are unserialized for display in postmeta and
option.php fields
* Serialized arrays/objects are displayed as %SERIALIZED_DATA% on
options.php and the field is uneditable. These values are ignored on
update.
* maybe_unserialize() runs an is_serialized() check first, instead of
just blindly unserializing. This should make it faster (I think).
* A new function, prepare_data(), does the work of serializing
objects/arrays as well as serializing strings that are already serialized
data, and doing trim() on strings. This replaces about 4 or 5 instances
of redundant code (yay!)
* Custom fields with non-string data are simply not displayed. They're
not meant to be user-editable anyway.
I think that's it. Please test thoroughly. Try entering malicious data
like the data "random" presented in a custom field or an options field.
Try entering it in an options.php field. Try to find an instance where
valid, serialized data is not serialized again (if it shows up in
options.php and unserialize($data) doesn't return false, you've found a
false negative).
--
Ticket URL: <http://trac.wordpress.org/ticket/2591>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list