[wp-trac] [WordPress Trac] #24023: 3.5/wp-includes/functions.php : missing break statement
WordPress Trac
noreply at wordpress.org
Thu Sep 12 03:29:20 UTC 2013
#24023: 3.5/wp-includes/functions.php : missing break statement
--------------------------+------------------------------
Reporter: tivnet | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.5.1
Severity: normal | Resolution:
Keywords: needs-patch |
--------------------------+------------------------------
Comment (by dd32):
Replying to [comment:2 nacin]:
> Let's comment this with `// Fall through` so others know it is
deliberate.
That's the only valid part of this ticket.
For security purposes, we cannot attempt to run `unserialize()` on
untrusted data, so lets add a comment and move on.
For a explanation of why we have is_serialized(), and why it doesn't run
on untrusted data, [http://codex.wordpress.org/Version_3.6.1 the 3.6.1
changelog] is the most recent thing I can point to:
* Remote Code Execution: Block unsafe PHP de-serialization that could
occur in limited situations and setups, which can lead to remote code
execution. Reported by Tom Van Goethem. CVE-2013-4338.
Any change along the lines suggested in this ticket will undo the fixes
put in place for that, as well as potentially making it easier than before
to exploit.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24023#comment:10>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list