[wp-trac] [WordPress Trac] #37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+
WordPress Trac
noreply at wordpress.org
Sun Aug 21 11:39:58 UTC 2016
#37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on
PHP 7+
----------------------------+-----------------------------
Reporter: chrisguitarguy | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
----------------------------+-----------------------------
PHP 7 added an options array to unserialize:
http://php.net/manual/en/function.unserialize.php
The most notable option is passing a whitelist of classes that can be
unserialized which can help mitigate some remote code execution
vulnerabilities.
Something like this (PHP 5.X will throw a warning if a second argument is
provided to `unserialize`).
{{{#!php
if (!is_serialized($input)) {
return false;
}
return PHP_MAJOR_VERSION >= 7 ? @unserialize($input,
apply_filters('wp_maybe_unserialize_options', [])) : @unserialize($input);
}}}
By default, I don't think any whitelisting needs to be done -- would be a
huge BC break. But it would be nice to give developers an option to lock
down what can be unserialized via `maybe_unserialize`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37757>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list