Ticket #37757: ticket-37757.3.patch

src/wp-includes/functions.php

@@ -320 +320 @@
 /**
  * Unserialize value only if it was serialized.
  *
+ * Even if options like 'allowed_classes' are used, there is no guarentee that
+ * vulnerabilities will be avoided. Inputs should always be validated and
+ * serialization should be avoided.
+ *
  * @since 2.0.0
+ * @since 4.9.0 Added the `$options` parameter.
+ *
+ * @see https://secure.php.net/manual/en/function.unserialize.php
  *
  * @param string $original Maybe unserialized original, if is needed.
+ * @param array  $options  Optional. Array of options to pass to unserialize if the PHP version is greater than 7.0.
  * @return mixed Unserialized data can be any type.
  */
-function maybe_unserialize( $original ) {
-        if ( is_serialized( $original ) ) // don't attempt to unserialize data that wasn't serialized going in
-                return @unserialize( $original );
-        return $original;
+function maybe_unserialize( $original, $options = array() ) {
+        // don't attempt to unserialize data that wasn't serialized going in.
+        if ( ! is_serialized( $original ) ) {
+                return $original;
+        }
+
+        if ( defined( 'PHP_MAJOR_VERSION' ) && PHP_MAJOR_VERSION >= 7 ) {
+
+                /**
+                 * Filters the unserialize options array.
+                 *
+                 * Allows for global filtering of all usage of maybe_unserialize
+                 * options. Note that using options like 'allowed_classes' does not
+                 * avoid the vulnerabilities in unserialization.
+                 *
+                 * @since 4.9.0
+                 *
+                 * @see https://secure.php.net/manual/en/function.unserialize.php
+                 *
+                 * @param array $options The options being passed to unserialize.
+                 * @param string $original The contents to be unserialized.
+                 */
+                $options = apply_filters( 'unserialization_options', $options, $original );
+
+                return @unserialize( $original, $options );
+        }
+        return @unserialize( $original );
 }
 
 /**

new file tests/phpunit/data/classes/class-foo.php

@@ +1 @@
+<?php
+/**
+ * Class types to run tests against.
+ *
+ * This is for instance to test unserialization results against.
+ *
+ * @package WordPress
+ */
+
+require_once( dirname( __FILE__ ) . '/class-foobase.php' );
+require_once( dirname( __FILE__ ) . '/class-foointerface.php' );
+
+/**
+ * Foo class.
+ */
+class Foo extends FooBase implements FooInterface { }

new file tests/phpunit/data/classes/class-foobase.php

@@ +1 @@
+<?php
+/**
+ * Foo base class.
+ *
+ * This is for instance to test unserialization results against.
+ *
+ * @package WordPress
+ */
+
+/**
+ * Foo class.
+ */
+class FooBase { }

new file tests/phpunit/data/classes/class-foointerface.php

@@ +1 @@
+<?php
+/**
+ * Foo interface class.
+ *
+ * This is for instance to test unserialization results against.
+ *
+ * @package WordPress
+ */
+
+/**
+ * Foo class.
+ */
+interface FooInterface { }

new file tests/phpunit/tests/functions/class-tests-functions-maybeunserialize.php

@@ +1 @@
+<?php
+
+require_once( ABSPATH . '../tests/phpunit/data/classes/class-foo.php' );
+
+/**
+ * Test maybe_unserialize.
+ *
+ * @group functions.php
+ */
+class Tests_Functions_MaybeUnserialize extends WP_UnitTestCase {
+
+        /**
+         * Object list for testing against.
+         *
+         * @var array
+         */
+        var $object_list = array();
+
+        /**
+         * Array list for testing against.
+         *
+         * @var array
+         */
+        var $array_list = array();
+
+        /**
+         * Setup for tests.
+         */
+        function setUp() {
+                parent::setUp();
+                $this->array_list['foo'] = array(
+                        'name' => 'foo',
+                        'id' => 'f',
+                        'field1' => true,
+                        'field2' => true,
+                        'field3' => true,
+                        'field4' => array(
+                                'red',
+                        ),
+                );
+                $this->array_list['bar'] = array(
+                        'name' => 'bar',
+                        'id' => 'b',
+                        'field1' => true,
+                        'field2' => true,
+                        'field3' => false,
+                        'field4' => array(
+                                'green',
+                        ),
+                );
+                foreach ( $this->array_list as $key => $value ) {
+                        $this->object_list[ $key ] = (object) $value;
+                }
+        }
+
+        /**
+         * Test unserialization default functionality.
+         */
+        public function test_maybe_unserialize() {
+
+                // Unserialization of array.
+                $serialized_array = serialize( $this->array_list );
+                $unseralized_array = maybe_unserialize( $serialized_array );
+                $this->assertEquals( $unseralized_array, $this->array_list );
+
+                // Unserialization of object.
+                $serialized_object = serialize( $this->object_list );
+                $unseralized_object = maybe_unserialize( $serialized_object );
+                $this->assertEquals( $unseralized_object, $this->object_list );
+        }
+
+        /**
+         * Test unserialization no classes allowed.
+         *
+         * @requires PHP 7.0
+         */
+        public function test_maybe_unserialize_php7_no_classes() {
+                $foo = new Foo();
+                $serialized_foo = serialize( $foo );
+                $unseralized_foo = maybe_unserialize( $serialized_foo, array(
+                        'allowed_classes' => false,
+                ) );
+                $this->assertEquals( get_class( $unseralized_foo ), '__PHP_Incomplete_Class' );
+        }
+
+        /**
+         * Test unserialization different classes allowed.
+         *
+         * @requires PHP 7.0
+         */
+        public function test_maybe_unserialize_php7_different_classes() {
+                $foo = new Foo();
+                $serialized_foo = serialize( $foo );
+                $unseralized_foo = maybe_unserialize( $serialized_foo, array(
+                        'allowed_classes' => array(
+                                'bar',
+                        ),
+                ) );
+                $this->assertEquals( get_class( $unseralized_foo ), '__PHP_Incomplete_Class' );
+        }
+
+        /**
+         * Test unserialization class this class implements not allowed.
+         *
+         * @requires PHP 7.0
+         */
+        public function test_maybe_unserialize_php7_implement_classes() {
+                $foo = new Foo();
+                $serialized_foo = serialize( $foo );
+                $unseralized_foo = maybe_unserialize( $serialized_foo, array(
+                        'allowed_classes' => array(
+                                'FooInterface',
+                        ),
+                ) );
+                $this->assertEquals( get_class( $unseralized_foo ), '__PHP_Incomplete_Class' );
+        }
+
+        /**
+         * Test unserialization class this class extends not allowed.
+         *
+         * @requires PHP 7.0
+         */
+        public function test_maybe_unserialize_php7_extend_classes() {
+                $foo = new Foo();
+                $serialized_foo = serialize( $foo );
+                $unseralized_foo = maybe_unserialize( $serialized_foo, array(
+                        'allowed_classes' => array(
+                                'FooBase',
+                        ),
+                ) );
+                $this->assertEquals( get_class( $unseralized_foo ), '__PHP_Incomplete_Class' );
+        }
+
+        /**
+         * Test unserialization with classes allowed.
+         *
+         * @requires PHP 7.0
+         */
+        public function test_maybe_unserialize_php7_allowed_classes() {
+                $foo = new Foo();
+                $serialized_foo = serialize( $foo );
+                $unseralized_foo = maybe_unserialize( $serialized_foo, array(
+                        'allowed_classes' => array(
+                                'Foo',
+                        ),
+                ) );
+                $this->assertEquals( get_class( $unseralized_foo ), 'Foo' );
+        }
+
+        /**
+         * Test unserialization with classes allowed.
+         *
+         * @requires PHP 7.0
+         */
+        public function test_maybe_unserialize_php7_filter_options() {
+                $foo = new Foo();
+                $serialized_foo = serialize( $foo );
+                add_filter( 'unserialization_options', array( $this, 'filter__maybe_unserialize_allowed_classes' ), 10, 3 );
+                $unseralized_foo = maybe_unserialize( $serialized_foo );
+                $this->assertEquals( get_class( $unseralized_foo ), 'Foo' );
+        }
+
+        /**
+         * Filter callback for maybe_unserialize options.
+         *
+         * @param array  $options The options to be passed to the php unserialize().
+         * @param string $original The contents to be unserialized.
+         *
+         * @return array The options to pass to the php unserialize().
+         */
+        public function filter__maybe_unserialize_allowed_classes( $options, $original ) {
+                $options = array(
+                        'allowed_classes' => array(
+                                'Foo',
+                        ),
+                );
+                return $options;
+        }
+
+}