[wp-trac] [WordPress Trac] #26521: maybe_unserialize() don't need to use is_serialized()
WordPress Trac
noreply at wordpress.org
Tue Dec 10 16:27:55 UTC 2013
#26521: maybe_unserialize() don't need to use is_serialized()
-------------------------+------------------------------
Reporter: kkarpieszuk | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Performance | Version: trunk
Severity: normal | Resolution:
Keywords: |
-------------------------+------------------------------
Comment (by nacin):
Replying to [ticket:26521 kkarpieszuk]:
> Hi, this is my first submission to Trac, so I hope I will fo everything
well ;)
Welcome! I am all for submissions backed by XDebug :-)
> I see that wp-includes/functions.php::maybe_unserialize() could be
written to work faster. It doesn't actually need to run is_serialized(),
because PHP checks this in PHP::unserialize().
Unfortunately we can't change how this function is written.
is_serialized() operates as a guard to make sure that only things that had
been serialized by maybe_serialize() are unserialized. If you can craft a
string that maybe_serialize() won't re-serialize, but unserialize()
''will'' unserialize, then you open yourself up to object injection.
A possible improvement (for a new ticket) would be to lessen the number of
times maybe_unserialize() gets called. I'd be all for reducing that from
1776 to more like once-per-unique-value. We call it with every
get_option() call. In an ideal world, it only gets called after DB runs.
Somewhat related is #23381, though.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/26521#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list