[wp-trac] [WordPress Trac] #25311: Replace PHP-serialized data with JSON in api.wordpress.org

WordPress Trac noreply at wordpress.org
Fri Sep 13 14:59:05 UTC 2013

#25311: Replace PHP-serialized data with JSON in api.wordpress.org
 Reporter:  scribu              |      Owner:
     Type:  enhancement         |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  WordPress.org site  |    Version:
 Severity:  normal              |   Keywords:
 Returning PHP-serialized strings in api.wordpress.org is lame, for two

 ### Security

 It has the potential to lead to security exploits via PHP object
 injection: http://vagosec.org/2013/09/wordpress-php-object-injection/

 Considering that Core doesn't use HTTPS for most requests it makes to
 api.wordpress.org, this is even more plausible.

 ### Portability

 It's hard to unserialize these strings in other languages besides PHP.
 JSON is the obvious replacement.

 Related: #meta124

Ticket URL: <http://core.trac.wordpress.org/ticket/25311>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list