[wp-trac] [WordPress Trac] #53295: Serialized data should be handled as an opaque value
WordPress Trac
noreply at wordpress.org
Sat Jun 5 10:20:52 UTC 2021
#53295: Serialized data should be handled as an opaque value
-----------------------------+------------------------------
Reporter: whitewinterwolf | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-----------------------------+------------------------------
Comment (by whitewinterwolf):
Hi @siliconforks,
I'm quite familiar with your vulnerability reporting process, as I'm
notably the author of the CVE-2021-29504 published two weeks ago for WP-
Cli.
I understand there is a debate regarding the use of the `unserialize()`
function with older PHP versions to check whether some data can be
unserialized. That's why, as stated above, I restored the original legacy
code for these older PHP versions as this change is not strictly necessary
for this ticket.
Newer PHP versions (>= 7.0.0) added the `$options` parameter allowing to
safely call `unserialize()` without running any object related code. This
is the safest and cleanest way to do it, and makes WordPress compatible
with third-party tools (current WordPress code breaks third-party security
software, thus endangering WordPress installations). Note that I also
added a specific check for serialized data beginning with a 'C' to remain
compatible with the original behavior.
While I also updated the function description to describe this original
behavior, the description update is also not strictly necessary for this
ticket so we can choose to keep this undocumented behavior undocumented if
you feel its better that way.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53295#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list