[wp-trac] [WordPress Trac] #53295: Serialized data should be handled as an opaque value
WordPress Trac
noreply at wordpress.org
Sun May 30 13:39:14 UTC 2021
#53295: Serialized data should be handled as an opaque value
-----------------------------+------------------------------
Reporter: whitewinterwolf | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-----------------------------+------------------------------
Comment (by whitewinterwolf):
Hi @nacin,
You added for #17375 a unit test to assert that
[https://core.trac.wordpress.org/ticket/17375#comment:38 "serializable
objects will never pass is_serialized()"].
I exposed the details for discussion [https://wordpress.org/support/topic
/is_serialized-behavior-with-serialized-objects/ on the forum], but the
point is that this fails to prevent objects to pass `is_serialized()`, but
even worse it prevents the use of security products efficiently protecting
against unserialize-related vulnerabilities, thus actually weakening
WordPress against such attacks instead of hardening it.
So, if by any chance you are nearby, I would be glad to have your opinion
whether this unit test can be reverted?
Thank you!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53295#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list