Use maybe_unserialize() for HTTP requests

[nacin]

In a few cases, we use this convention: unserialize( wp_remote_retrieve_body( $response ) ). When the request fails, unserialize() gets an empty string, and that's no good.

I see this one every so often: Notice: unserialize(): Error at offset 0 of 11 bytes in /Users/nacin/Sites/beta/wp-includes/update.php on line 288

These are all of the unserialize() calls in core. Let's move all of them to maybe_unserialize() unless there is a good reason to keep them at unserialize() —

./wp-admin/includes/dashboard.php:1250:		$response = unserialize( wp_remote_retrieve_body( $response ) );
./wp-admin/includes/plugin-install.php:48:			$res = unserialize( wp_remote_retrieve_body( $request ) );
./wp-admin/includes/theme.php:413:			$res = unserialize( wp_remote_retrieve_body( $request ) );
./wp-admin/includes/upgrade.php:1090:				if ( !@unserialize( $value ) )
./wp-admin/includes/upgrade.php:1242:				if ( !@unserialize( $value ) )
./wp-admin/includes/upgrade.php:1406:	@ $kellogs = unserialize($option);
./wp-includes/ms-functions.php:848:	$meta = unserialize($signup->meta);
./wp-includes/update.php:188:	$response = unserialize( wp_remote_retrieve_body( $raw_response ) );
./wp-includes/update.php:288:	$response = unserialize( wp_remote_retrieve_body( $raw_response ) );
./wp-includes/user.php:886:			$b_roles = unserialize($caps_meta);

[JustinSainton]

Changes serialize() to maybe_serialize() in listed files.

[JustinSainton]

Refresh

[dd32]

In [19707]:

use maybe_unserialize() in update and API checks, Tighten up the checks on expected return data to avoid processing invalid responses after change. See #19617

[dd32]

I didn't touch the non-update cases, All of those cases will need to have extra validation applied, unserialize() returns false for invalid (non-serialised) data where as, maybe_unserialize() is going to pass it straight through causing the old false === unserialize() checks to fail.

[nacin]

[20612]