[wp-trac] [WordPress Trac] #53295: Serialized data should be handled as an opaque value

Sat Jun 12 14:53:38 UTC 2021

#53295: Serialized data should be handled as an opaque value
-----------------------------+------------------------------
 Reporter:  whitewinterwolf  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  General          |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  has-patch        |     Focuses:
-----------------------------+------------------------------

Comment (by siliconforks):

 Replying to [comment:15 whitewinterwolf]:
 > Replying to [comment:14 siliconforks]:
 > > For example, consider the string
 O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}ab84a81d5a516892c86d3a620ac3e714286b8dcdcdebaf67e8112a54ed2514f0.
 My understanding is that this is what serialized data looks like when
 Snuffleupagus is enabled. Currently in WordPress, is_serialized() will
 return false for that.
 >
 > Currently, `is_serialized()` **''already returns true''** for such
 serialized objects :
 >
 > {{{
 >
 var_dump(is_serialized('O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}'));
 > #Output: bool(true)
 > }}}

 What I mean is that, currently, `is_serialized` will return `false` for
 the string with the HMAC at the end:

 {{{
 var_dump(is_serialized('O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}ab84a81d5a516892c86d3a620ac3e714286b8dcdcdebaf67e8112a54ed2514f0'));
 #Output: bool(false)
 }}}

 Ultimately, in order to support Snuffleupagus, `is_serialized` would need
 to return `true` for that string - but then it would violate the rule that
 the behavior of `is_serialized` cannot change.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53295#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform