[wp-trac] [WordPress Trac] #62483: maybe_serialize() does support double serialization, but does not inform the developer if doing so
WordPress Trac
noreply at wordpress.org
Sun Mar 2 22:15:26 UTC 2025
#62483: maybe_serialize() does support double serialization, but does not inform
the developer if doing so
-------------------------+------------------------
Reporter: apermo | Owner: audrasjb
Type: enhancement | Status: reviewing
Priority: normal | Milestone: 6.8
Component: General | Version: 3.6.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-------------------------+------------------------
Comment (by TimothyBlynJacobs):
Thanks @apermo.
Yeah, so what you are outlining make sense for the cases where a developer
is doing something like `add_option( serialize() )`. However, it misses
that double serialization is not just backward compatibility in the sense
that if we remove it, plugins will break. But removing it also opens a
security issue.
I agree, we should discourage developers from doing `add_option(
serialize() )`. This does seem like something that could mostly be
accomplished by a sniff, however.
I definitely don't think we should `_doing_it_wrong`, as it may end up
with developers shooting themselves in the foot trying to remove double
serialization, and introducing a security vulnerability into their code.
Firing an action is a bit better, but still seems heavy for code quality
signal. I'm still worried about developers taking it the wrong way and
trying to remove all instances of double serialization "to increase their
code quality".
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62483#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list