[wp-trac] [WordPress Trac] #53295: Serialized data should be handled as an opaque value
WordPress Trac
noreply at wordpress.org
Tue Jun 1 20:24:53 UTC 2021
#53295: Serialized data should be handled as an opaque value
-----------------------------+------------------------------
Reporter: whitewinterwolf | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-----------------------------+------------------------------
Comment (by whitewinterwolf):
Hi @siliconforks,
The thing is that the current code is already "vulnerable" to the issues
you raise :
- ''Object injection with PHP 5.6:'' `is_serialized()` already returns
`true` so the caller will unserialize it and execute the malicious payload
anyway.
- ''Object injection from data stored in the database by older WordPress
versions:'' checking the first character of the serialized string doesn't
do anything against trivial bypasses such as objects stored in an array,
so is completely inefficient to protect against such threat.
Nevertheless, I can understand that:
- One may prefer to stick to the historical behavior as much as possible,
no matter the reasoning behind it.
- One may prefer to leave it to the caller to trigger the payload, even it
doesn't change anything to consequences.
I've therefore pushed a new commit:
- Restoring the legacy code for legacy PHP.
- Restoring the original unit test.
- Updating the function description to more closely match its behavior.
- Enabling standard code for PHP >= 7.0.0, allowing the use of tools such
as Snuffleupagus to efficiently protect against the threats you describe.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53295#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list