Index: wp-includes/functions.php
===================================================================
--- wp-includes/functions.php (revision 3657)
+++ wp-includes/functions.php (working copy)
@@ -261,14 +261,37 @@
return 0;
}
-
+/*
function maybe_unserialize($original) {
if ( false !== $gm = @ unserialize($original) )
return $gm;
else
return $original;
}
+*/
+function maybe_unserialize($original) {
+ if ( is_serialized($original) )
+ if ( false !== $gm = @ unserialize($original) )
+ return $gm;
+ return $original;
+}
+
+function is_serialized($data) {
+ if ( !is_string($data) ) {
+ // if it isn't a string, it isn't serialized
+ return false;
+ }
+ $data = trim($data);
+ if ( preg_match("/^(a|d|o|b|i|s):[0-9]+:(.*)[;}]/si",$data) )
+ return true;
+ return false;
+}
+
+function throw_serialization_error($data) {
+ die(__('Error: serialized data was detected!'));
+}
+
/* Options functions */
function get_settings($setting) {
@@ -348,7 +371,7 @@
return apply_filters('all_options', $all_options);
}
-function update_option($option_name, $newvalue) {
+function update_option($option_name, $newvalue, $accept_serialized=false) {
global $wpdb;
if ( is_string($newvalue) )
@@ -365,8 +388,7 @@
return true;
}
- if ( is_array($newvalue) || is_object($newvalue) )
- $newvalue = serialize($newvalue);
+ $newvalue = prepare_data($newvalue, $accept_serialized);
wp_cache_set($option_name, $newvalue, 'options');
@@ -395,8 +417,7 @@
if ( false !== get_option($name) )
return;
- if ( is_array($value) || is_object($value) )
- $value = serialize($value);
+ $value = prepare_data($value);
wp_cache_set($name, $value, 'options');
@@ -418,6 +439,16 @@
return true;
}
+function prepare_data($data, $accept_serialized=false) {
+ if ( is_string($data) )
+ $data = trim($data);
+ elseif ( is_array($data) || is_object($data) )
+ return serialize($data);
+ if ( !$accept_serialized && is_serialized($data) )
+ throw_serialization_error($data);
+ return $data;
+}
+
function add_post_meta($post_id, $key, $value, $unique = false) {
global $wpdb, $post_meta_cache;
@@ -431,6 +462,8 @@
$original = $value;
if ( is_array($value) || is_object($value) )
$value = $wpdb->escape(serialize($value));
+ else
+ $value = prepare_data($value);
$wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$post_id','$key','$value')");
@@ -510,6 +543,8 @@
$original_value = $value;
if ( is_array($value) || is_object($value) )
$value = $wpdb->escape(serialize($value));
+ else
+ $value = prepare_data($value);
$original_prev = $prev_value;
if ( is_array($prev_value) || is_object($prev_value) )
@@ -2165,9 +2200,7 @@
return false;
$meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key);
- if ( is_array($meta_value) || is_object($meta_value) )
- $meta_value = serialize($meta_value);
- $meta_value = trim( $meta_value );
+ $meta_value = prepare_data($meta_value);
if (empty($meta_value)) {
delete_usermeta($user_id, $meta_key);
@@ -2197,9 +2230,7 @@
return false;
$meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key);
- if ( is_array($meta_value) || is_object($meta_value) )
- $meta_value = serialize($meta_value);
- $meta_value = trim( $meta_value );
+ $meta_value = prepare_data($meta_value);
if ( ! empty($meta_value) )
$wpdb->query("DELETE FROM $wpdb->usermeta WHERE user_id = '$user_id' AND meta_key = '$meta_key' AND meta_value = '$meta_value'");
Index: wp-admin/admin-functions.php
===================================================================
--- wp-admin/admin-functions.php (revision 3657)
+++ wp-admin/admin-functions.php (working copy)
@@ -226,7 +226,8 @@
// Meta Stuff
if ($_POST['meta']) {
foreach ($_POST['meta'] as $key => $value)
- update_meta($key, $value['key'], $value['value']);
+ if ( '%SERIALIZED_DATA%' != $value )
+ update_meta($key, $value['key'], $value['value']);
}
if ($_POST['deletemeta']) {
@@ -849,6 +850,10 @@
$style = '';
if ('_' == $entry['meta_key'] { 0 })
$style .= ' hidden';
+ if ( is_serialized($entry['meta_value']) ) {
+ -- $count;
+ continue;
+ }
echo "
|
@@ -920,7 +925,10 @@
$metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect'])));
$metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput'])));
- $metavalue = $wpdb->escape(stripslashes(trim($_POST['metavalue'])));
+ $metavalue = prepare_data(stripslashes((trim($_POST['metavalue']))));
+ if ( '%SERIALIZED_DATA%' == $metavalue )
+ return;
+ $metavalue = $wpdb->escape($metavalue);
if ( ('0' === $metavalue || !empty ($metavalue)) && ((('#NONE#' != $metakeyselect) && !empty ($metakeyselect)) || !empty ($metakeyinput)) ) {
// We have a key/value pair. If both the select and the
@@ -948,7 +956,8 @@
function update_meta($mid, $mkey, $mvalue) {
global $wpdb;
-
+ if ( is_serialized(stripslashes($mvalue)) )
+ return false;
return $wpdb->query("UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'");
}
Index: wp-admin/options.php
===================================================================
--- wp-admin/options.php (revision 3657)
+++ wp-admin/options.php (working copy)
@@ -33,7 +33,8 @@
if (!$_POST['page_options']) {
foreach ($_POST as $key => $value) {
- $options[] = $key;
+ if ( $value != '%SERIALIZED_DATA%')
+ $options[] = $key;
}
} else {
$options = explode(',', stripslashes($_POST['page_options']));
@@ -95,11 +96,17 @@
$options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
foreach ($options as $option) :
- $value = wp_specialchars($option->option_value);
+ if ( is_serialized($option->option_value) ) {
+ $value = '%SERIALIZED_DATA%';
+ $disabled = ' disabled="disabled"';
+ } else {
+ $value = wp_specialchars($option->option_value);
+ $disabled = '';
+ }
echo "
|
- |
+ |
$option->option_description |
";
endforeach;