[wp-trac] Re: [WordPress Trac] #4029: maybe_serialize() can do
double-serialize
WordPress Trac
wp-trac at lists.automattic.com
Mon Mar 26 03:13:23 GMT 2007
#4029: maybe_serialize() can do double-serialize
------------------------------------+---------------------------------------
Reporter: takayukister | Owner: anonymous
Type: defect | Status: reopened
Priority: normal | Milestone: 2.2
Component: General | Version: 2.2
Severity: major | Resolution:
Keywords: has-patch dev-feedback |
------------------------------------+---------------------------------------
Comment (by masquerade):
I believe its intentional also. This way, nobody can fake a serialized
string that is an array with a bizzare amount of elements for the sole
purpose of crashing PHP and the webserver. I remember this being a bug in
the past because you could put a serialized string in some of the options
fields and it would be deserialized, meaning you could inject
objects/large arrays/etc.
--
Ticket URL: <http://trac.wordpress.org/ticket/4029#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list