[wp-trac] [WordPress Trac] #24023: 3.5/wp-includes/functions.php : missing break statement

WordPress Trac noreply at wordpress.org
Thu Sep 12 03:29:20 UTC 2013

#24023: 3.5/wp-includes/functions.php : missing break statement
 Reporter:  tivnet        |       Owner:
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:  3.5.1
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |

Comment (by dd32):

 Replying to [comment:2 nacin]:
 > Let's comment this with `// Fall through` so others know it is

 That's the only valid part of this ticket.

 For security purposes, we cannot attempt to run `unserialize()` on
 untrusted data, so lets add a comment and move on.
 For a explanation of why we have is_serialized(), and why it doesn't run
 on untrusted data, [http://codex.wordpress.org/Version_3.6.1 the 3.6.1
 changelog] is the most recent thing I can point to:
 * Remote Code Execution: Block unsafe PHP de-serialization that could
 occur in limited situations and setups, which can lead to remote code
 execution. Reported by Tom Van Goethem. CVE-2013-4338.
 Any change along the lines suggested in this ticket will undo the fixes
 put in place for that, as well as potentially making it easier than before
 to exploit.

Ticket URL: <http://core.trac.wordpress.org/ticket/24023#comment:10>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list