id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
9549	WP should catch serialization errors in options and meta fields	Denis-de-Bernardy	anonymous	"Related to: #8804 and #6532.

One some servers, with some configs, you occasionally get serialized data with an erroneous strlen(). It's clearly php related, but it does break sites.

The bug has to do with the fact that the string length function that is internally used by serialize() doesn't like utf8 much. You get erroneous string length values -- even when strlen() returns the correct value, and even when you overload the strlen() function. This makes it borderline impossible to reproduce on an english site, but it definitely occurs out in the wild.

Anyway, the end result is a corrupt array that is then passed into WP as a string. On occasion, this leads to fatal errors. (see the above two bugs.)

I've mostly seen this happen with text widgets or equivalent; more rarely with post meta fields and the like. It seems to me that this could be corrected by returning a straight false when unserialization fails, as is done in the attached patch."	defect (bug)	closed	normal	2.8	General	2.8	critical	fixed	has-patch dev-feedback