[wp-trac] [WordPress Trac] #53295: Serialized data should be handled as an opaque value

WordPress Trac noreply at wordpress.org
Tue Jun 1 20:24:53 UTC 2021


#53295: Serialized data should be handled as an opaque value
-----------------------------+------------------------------
 Reporter:  whitewinterwolf  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  General          |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  has-patch        |     Focuses:
-----------------------------+------------------------------

Comment (by whitewinterwolf):

 Hi @siliconforks,

 The thing is that the current code is already "vulnerable" to the issues
 you raise :

 - ''Object injection with PHP 5.6:'' `is_serialized()` already returns
 `true` so the caller will unserialize it and execute the malicious payload
 anyway.
 - ''Object injection from data stored in the database by older WordPress
 versions:'' checking the first character of the serialized string doesn't
 do anything against trivial bypasses such as objects stored in an array,
 so is completely inefficient to protect against such threat.

 Nevertheless, I can understand that:

 - One may prefer to stick to the historical behavior as much as possible,
 no matter the reasoning behind it.
 - One may prefer to leave it to the caller to trigger the payload, even it
 doesn't change anything to consequences.

 I've therefore pushed a new commit:

 - Restoring the legacy code for legacy PHP.
 - Restoring the original unit test.
 - Updating the function description to more closely match its behavior.
 - Enabling standard code for PHP >= 7.0.0, allowing the use of tools such
 as Snuffleupagus to efficiently protect against the threats you describe.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53295#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list