WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
10/12/2006 11:54:36 PM (19 years ago)
Author:
markjaquith
Message:

Prevent users from entering strings that will be interpreted as serialized arrays/objects on the way out. fixes #2591

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-includes/functions.php

    r4379 r4382  
    157157
    158158function maybe_unserialize($original) {
    159     if ( false !== $gm = @ unserialize($original) )
    160         return $gm;
    161     else
    162         return $original;
     159    if ( is_serialized($original) ) // don't attempt to unserialize data that wasn't serialized going in
     160        if ( false !== $gm = @ unserialize($original) )
     161            return $gm;
     162    return $original;
     163}
     164
     165function is_serialized($data) {
     166    if ( !is_string($data) ) // if it isn't a string, it isn't serialized
     167        return false;
     168    $data = trim($data);
     169    if ( preg_match("/^[adobis]:[0-9]+:.*[;}]/si",$data) ) // this should fetch all legitimately serialized data
     170        return true;
     171    return false;
     172}
     173
     174function is_serialized_string($data) {
     175    if ( !is_string($data) ) // if it isn't a string, it isn't a serialized string
     176        return false;
     177    $data = trim($data);
     178    if ( preg_match("/^s:[0-9]+:.*[;}]/si",$data) ) // this should fetch all serialized strings
     179        return true;
     180    return false;
    163181}
    164182
     
    240258
    241259    $_newvalue = $newvalue;
    242     if ( is_array($newvalue) || is_object($newvalue) )
    243         $newvalue = serialize($newvalue);
     260    $newvalue = prepare_data($newvalue);
    244261
    245262    wp_cache_set($option_name, $newvalue, 'options');
     
    263280        return;
    264281
    265     if ( is_array($value) || is_object($value) )
    266         $value = serialize($value);
     282    $value = prepare_data($value);
    267283
    268284    wp_cache_set($name, $value, 'options');
     
    284300    wp_cache_delete($name, 'options');
    285301    return true;
     302}
     303
     304function prepare_data($data) {
     305    if ( is_string($data) )
     306        $data = trim($data);
     307    elseif ( is_array($data) || is_object($data) )
     308        return serialize($data);
     309    if ( is_serialized($data) )
     310        return serialize($data);
     311    return $data;
    286312}
    287313
Note: See TracChangeset for help on using the changeset viewer.