[wp-trac] [WordPress Trac] #53295: Serialized data should be handled as an opaque value
WordPress Trac
noreply at wordpress.org
Wed Jun 2 10:56:42 UTC 2021
#53295: Serialized data should be handled as an opaque value
-----------------------------+------------------------------
Reporter: whitewinterwolf | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-----------------------------+------------------------------
Comment (by siliconforks):
Replying to [comment:9 whitewinterwolf]:
> Hi @siliconforks,
>
> The thing is that the current code is already "vulnerable" to the issues
you raise :
>
> - ''Object injection with PHP 5.6:'' `is_serialized()` already returns
`true` so the caller will unserialize it and execute the malicious payload
anyway.
The current WordPress code is not vulnerable to the attack I described
because it handles serialized data specially; specifically, the
`maybe_serialize` function [https://github.com/WordPress/wordpress-
develop/blob/5.7.2/src/wp-includes/functions.php#L607 tests for the
presence of serialized data] and serializes it again (so the data is
stored in the database double-serialized). This provides protection
against malicious serialized data (specifically, `O:...` objects) entered
by a user: when the data is retrieved from the database, it will be
unserialized, but that only works on the layer of serialization added by
WordPress; the serialized data that was provided by the user is not
unserialized.
So WordPress is careful to never call `unserialize` on user input.
(Note: if you do think there's a case where WordPress calls `unserialize`
on user input, that's likely a security vulnerability and it should
probably be reported privately via [https://hackerone.com/wordpress
HackerOne]. But I don't think there is any case where that happens in the
current WordPress code.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53295#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list