Replace PHP-serialized data with JSON in api.wordpress.org
|Reported by:||scribu||Owned by:|
Description (last modified by scribu)
Returning PHP-serialized strings in api.wordpress.org is lame, for two reasons:
It has the potential to lead to security exploits via PHP object injection: http://vagosec.org/2013/09/wordpress-php-object-injection/
Considering that Core doesn't use HTTPS for most requests it makes to api.wordpress.org, this is even more plausible.
It's hard to unserialize these strings in other languages besides PHP. JSON is the obvious replacement.