[wp-trac] [WordPress Trac] #53295: Serialized data should be handled as an opaque value
WordPress Trac
noreply at wordpress.org
Sat May 29 14:20:15 UTC 2021
#53295: Serialized data should be handled as an opaque value
-----------------------------+-----------------------------
Reporter: whitewinterwolf | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
The [[https://github.com/WordPress/wordpress-
develop/blob/24a70204db8d9ca5c6ddfc2c22247418fa0af5a1/src/wp-
includes/functions.php#L642|`is_serialized()`]] function makes strong
assumptions on the serialized data format and layout.
- This seems wrong and unreliable as there is no commitment in PHP
documentation over this formatting: serialized data should be handled as
an opaque binary string instead.
- This breaks third-party software customizing serialized data format, for
instance
[[https://github.com/jvoisin/snuffleupagus/issues/384|Snuffleupagus]], a
security software which adds an HMAC to serialized data to prevent
malicious injections.
The correct way provided by the PHP language to determine whether a string
contains a valid serialized data is to simply check the return value of
the
[[https://www.php.net/manual/en/function.unserialize.php|`unserialize()`]]
function instead of relying on a dozen of various comparisons to implement
a self-made heuristic.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53295>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list