Make WordPress Core


Ignore:
Timestamp:
09/10/2013 06:43:51 PM (11 years ago)
Author:
nacin
Message:

Loose validation for is_serialized() in maybe_serialize(). Merges [25320] to 3.6.

Location:
branches/3.6
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.6

  • branches/3.6/wp-includes/functions.php

    r25323 r25325  
    243243 *
    244244 * @param mixed $data Value to check to see if was serialized.
     245 * @param bool $strict Optional. Whether to be strict about the end of the string. Defaults true.
    245246 * @return bool False if not serialized and true if it was.
    246247 */
    247 function is_serialized( $data ) {
     248function is_serialized( $data, $strict = true ) {
    248249    // if it isn't a string, it isn't serialized
    249250    if ( ! is_string( $data ) )
     
    257258    if ( ':' !== $data[1] )
    258259        return false;
    259     $lastc = $data[$length-1];
    260     if ( ';' !== $lastc && '}' !== $lastc )
    261         return false;
     260    if ( $strict ) {
     261        $lastc = $data[ $length - 1 ];
     262        if ( ';' !== $lastc && '}' !== $lastc )
     263            return false;
     264    } else {
     265        // ensures ; or } exists but is not in the first X chars
     266        if ( strpos( $data, ';' ) < 3 && strpos( $data, '}' ) < 4 )
     267            return false;
     268    }
    262269    $token = $data[0];
    263270    switch ( $token ) {
    264271        case 's' :
    265             if ( '"' !== $data[$length-2] )
     272            if ( $strict ) {
     273                if ( '"' !== $data[ $length - 2 ] )
     274                    return false;
     275            } elseif ( false === strpos( $data, '"' ) ) {
    266276                return false;
     277            }
    267278        case 'a' :
    268279        case 'O' :
     
    271282        case 'i' :
    272283        case 'd' :
    273             return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data );
     284            $end = $strict ? '$' : '';
     285            return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );
    274286    }
    275287    return false;
     
    318330    // Double serialization is required for backward compatibility.
    319331    // See http://core.trac.wordpress.org/ticket/12930
    320     if ( is_serialized( $data ) )
     332    if ( is_serialized( $data, false ) )
    321333        return serialize( $data );
    322334
Note: See TracChangeset for help on using the changeset viewer.