[wp-trac] [WordPress Trac] #17375: Serialzed option values broken for classes and strings on unserialize for C and S
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 10 02:03:17 UTC 2011
#17375: Serialzed option values broken for classes and strings on unserialize for C
and S
--------------------------+--------------------------
Reporter: hakre | Owner: markjaquith
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 3.2
Component: General | Version: 3.1
Severity: normal | Resolution:
Keywords: has-patch |
--------------------------+--------------------------
Comment (by dd32):
went on a hunt for the S modifier.
Lead me to this changeset in php:
[http://svn.php.net/viewvc?view=revision&revision=225029 phprev 225029]
which suggests it was for PHP6(5.3?) future compatibility, which then lead
to [http://svn.php.net/viewvc?view=revision&revision=232476 phprev
232476], which finally gives us a [http://www.php-
security.org/MOPB/MOPB-29-2007.html security report about the 'S'
modifer].
> With PHP 5.2.1 the new S: data type was added to unserialize(). It is
meant as compatibility layer for exchange of serialized data with future
PHP 6. The data type itself is similar to the normal s: string data type
with the exception that simple escaped bytes are supported. The following
string is an example.
With PHP6 never being released, AFAIK, there are no cases where the S data
type should be created by PHP, looking through
[http://svn.php.net/viewvc/php/php-
src/branches/PHP_5_3/ext/standard/var.c?view=markup PHP 5.3's branch's
var.c] seems to validate that.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17375#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list