Make WordPress Core

Changeset 49382


Ignore:
Timestamp:
10/29/2020 05:58:49 PM (4 years ago)
Author:
desrosj
Message:

External Libraries: Disable deserialization in Requests_Utility_FilteredIterator

Props xknown, peterwilsoncc, desrosj, dd32, whyisjake.
Merges [49373] to trunk.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk

  • trunk/src/wp-includes/Requests/Utility/FilteredIterator.php

    r46586 r49382  
    4343        return $value;
    4444    }
     45
     46    /**
     47     * @inheritdoc
     48     */
     49    public function unserialize( $serialized ) {
     50    }
     51
     52    /**
     53     * @inheritdoc
     54     */
     55    public function __unserialize( $serialized ) { // phpcs:ignore PHPCompatibility.FunctionNameRestrictions.ReservedFunctionNames.MethodDoubleUnderscore,PHPCompatibility.FunctionNameRestrictions.NewMagicMethods.__unserializeFound
     56    }
     57
     58    public function __wakeup() { // phpcs:ignore PHPCompatibility.FunctionNameRestrictions.ReservedFunctionNames.MethodDoubleUnderscore,PHPCompatibility.FunctionNameRestrictions.NewMagicMethods.__wakeupFound
     59        unset( $this->callback );
     60    }
    4561}
  • trunk/tests/phpunit/tests/functions.php

    r49329 r49382  
    268268    function test_is_serialized( $value, $expected ) {
    269269        $this->assertSame( $expected, is_serialized( $value ) );
     270    }
     271
     272    /**
     273     * @dataProvider data_serialize_deserialize_objects
     274     */
     275    function test_deserialize_request_utility_filtered_iterator_objects( $value ) {
     276        $serialized = maybe_serialize( $value );
     277        if ( get_class( $value ) === 'Requests_Utility_FilteredIterator' ) {
     278            $new_value = unserialize( $serialized );
     279            if ( version_compare( PHP_VERSION, '5.3', '>=' ) ) {
     280                $property = ( new ReflectionClass( 'Requests_Utility_FilteredIterator' ) )->getProperty( 'callback' );
     281                $property->setAccessible( true );
     282                $callback_value = $property->getValue( $new_value );
     283                $this->assertSame( null, $callback_value );
     284            } else {
     285                $current_item = @$new_value->current(); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
     286                $this->assertSame( null, $current_item );
     287            }
     288        } else {
     289            $this->assertEquals( $value->count(), unserialize( $serialized )->count() );
     290        }
     291    }
     292
     293    function data_serialize_deserialize_objects() {
     294        return array(
     295            array( new Requests_Utility_FilteredIterator( array( 1 ), 'md5' ) ),
     296            array( new Requests_Utility_FilteredIterator( array( 1, 2 ), 'sha1' ) ),
     297            array( new ArrayIterator( array( 1, 2, 3 ) ) ),
     298        );
    270299    }
    271300
Note: See TracChangeset for help on using the changeset viewer.