Ticket #9930: 9930.2.patch

wp-includes/functions.php

@@ -217 +217 @@
 }
 
 /**
- * Check value to find if it was serialized.
+ * Check if value is serialized.
  *
  * If $data is not an string, then returned value will always be false.
  * Serialized data is always a string.
+ * 
+ * NOTICE: There can be no guarantee wether the data passed was not
+ * just a string even if this function returns true.
  *
  * @since 2.0.5
  *
  * @param mixed $data Value to check to see if was serialized.
- * @return bool False if not serialized and true if it was.
+ * @return bool False if not serialized and true if.
  */
 function is_serialized( $data ) {
-        // if it isn't a string, it isn't serialized
         if ( !is_string( $data ) )
                 return false;
         $data = trim( $data );
         if ( 'N;' == $data )
-                return true;
-        if ( function_exists('strpbrk') ) {
-                if ( strlen($data) > 1 && strpbrk($data,'adObis') == $data && $data[1] == ':' ) {
-                        $badions = array();
-                        $badions[1] = $data[0];
-                } else {
-                        return false;
-                }
-        } elseif ( !preg_match( '/^([adObis]):/', $data, $badions ) ) {
+                return true; # NULL; fixed length: 2
+        if ( strlen( $data ) < 4 )
                 return false;
+        if ( ':' !== $data[1] )
+                return false;
+        $type = $data[0];
+        if ( false === strpos('abdiOs', $type ) )
+                return false;
+
+        switch ( $type ) {
+                case 'a' : # array; min length: 6
+                        return (bool) preg_match( '/^a:[0-9]+:{.*}$/s', $data );
+                case 'b' : # bool; min length: 4
+                case 'd' : # double; min length: 4
+                case 'i' : # integer; min length: 4
+                        return (bool) preg_match( "/^{$type}:[0-9.E+-]+;\$/", $data );
+                case 'O' : # object; min length 12
+                        return (bool) preg_match( '/^O:[0-9]+:"[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*":[0-9]+:{.*}$/s', $data );
+                case 's' : # string; min length 7
+                        return (bool) preg_match( '/^s:[0-9]+:".*";$/s', $data );
         }
-        switch ( $badions[1] ) {
-                case 'a' :
-                case 'O' :
-                case 's' :
-                        if ( preg_match( "/^{$badions[1]}:[0-9]+:.*[;}]\$/s", $data ) )
-                                return true;
-                        break;
-                case 'b' :
-                case 'i' :
-                case 'd' :
-                        if ( preg_match( "/^{$badions[1]}:[0-9.E-]+;\$/", $data ) )
-                                return true;
-                        break;
-        }
         return false;
 }