[wp-trac] [WordPress Trac] #37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+

Wed Sep 13 21:39:28 UTC 2017

#37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on
PHP 7+
--------------------------------------+------------------------------
 Reporter:  chrisguitarguy            |       Owner:
     Type:  enhancement               |      Status:  new
 Priority:  normal                    |   Milestone:  Awaiting Review
Component:  Security                  |     Version:
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+------------------------------

Comment (by seuser):

 Nice, thanks for the info.

 Your arguments make sense to me - once a plugin is installed, regardless
 of whether it interacts with WP, it would need to be trusted as you say.

 A compromise could be to pass through the option name from the get_option
 function as a third argument to this. That could allow the developer to
 modify the unserialise options only for a specific option.

 {{{#!php
 <?php
 function get_option( ... ) {
         // ...
         return apply_filters( "option_{$option}", maybe_unserialize(
 $value, array(), $option ), $option );
 }
 }}}

 {{{#!php
 <?php
 function maybe_unserialize( $value, $option = array(), $key ) {
         // ...
         $options = apply_filters( 'unserialization_options', $options,
 $original, $key );
         // ...
 }
 }}}

 But in that case, in the pre filter in get_option could similarly be used
 to target a specific option, albeit with a bit more effort. For that
 reason, I'd be happy to leave as is.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37757#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform