[wp-trac] [WordPress Trac] #37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on PHP 7+
WordPress Trac
noreply at wordpress.org
Thu Apr 24 07:05:33 UTC 2025
#37757: Add `allowed_classes` to `maybe_unserialize` When WordPress is running on
PHP 7+
-------------------------------------------------+-------------------------
Reporter: chrisguitarguy | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests 2nd- | Focuses:
opinion |
-------------------------------------------------+-------------------------
Comment (by dilipbheda):
I've updated the patch based on @FrancescoCarlucci's latest suggestion.
Additionally, I’ve added support for the `$options` argument in the
`maybe_unserialize` function. The `$options` values are now merged with
the values from the filter(`$default_options`)
Here's an example of how to use the filter:
{{{
add_filter(
'maybe_unserialize_options',
function ( $options ) {
// Get additional allowed classes early from active themes
and plugins.
$allowed_classes = is_array(
$options['allowed_classes'] ) ? $options['allowed_classes'] : array();
$options['allowed_classes'] = array_merge(
$allowed_classes, array( 'AllowedClass1', 'AllowedClass2' ) );
return $options;
}
);
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37757#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list