Opened 11 years ago
Closed 11 years ago
#25311 closed task (blessed) (fixed)
Replace PHP-serialized data with JSON in api.wordpress.org
Reported by: | scribu | Owned by: | |
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | WordPress.org Site | Keywords: | needs-docs |
Focuses: | Cc: |
Description (last modified by )
Returning PHP-serialized strings in api.wordpress.org is lame, for two reasons:
Security
It has the potential to lead to security exploits via PHP object injection: http://vagosec.org/2013/09/wordpress-php-object-injection/
Considering that Core doesn't use HTTPS for most requests it makes to api.wordpress.org, this is even more plausible.
Portability
It's hard to unserialize these strings in other languages besides PHP. JSON is the obvious replacement.
Related: #meta124
Attachments (1)
Change History (18)
#5
follow-up:
↓ 6
@
11 years ago
25311.diff receives JSON-encoded data from 1.1 endpoints for core/browse-happy, importers, and credits. It's the same data structures as the serialized data, which means associative arrays become objects. Here, I've chosen to manually convert them back to arrays for storage and reference.
Two of them (browse-happy, importers) are simple, and also correspond to the array-based return of public functions. Credits is a bit more complicated of a data structure; and we could very likely get away with changing the return value of wp_credits() (and also the data type of the transient) and then change all of the references from arrays to objects.
#6
in reply to:
↑ 5
;
follow-up:
↓ 7
@
11 years ago
Replying to nacin:
which means associative arrays become objects. Here, I've chosen to manually convert them back to arrays for storage and reference.
The 2nd parameter of json_decode()
can be used to convert them to arrays, which is what [25219] did "When TRUE, returned objects will be converted into associative arrays."
#7
in reply to:
↑ 6
@
11 years ago
Replying to dd32:
The 2nd parameter of
json_decode()
can be used to convert them to arrays
Ah, I completely forgot about that.
#10
@
11 years ago
We need to carefully look through the return values of the theme and plugin API /info/ endpoints as they have quite a bit of variance in return values. Need to not break existing usage of plugins_api() and themes_api().
#15
@
11 years ago
- Keywords needs-docs added
We'll need a blog post on Make/Core about this change due to the following.
Plugins that hook into the http_request_args
filter in order to filter out plugins or themes from the api.wordpress.org update checks will break update checks entirely due to expecting serialised data and instead getting JSON encoded data.
I've updated a plugin of mine so it supports JSON encoded data and serialised data, but I only did this after getting PHP warnings and noticing that updates were broken.
I would volunteer to work on this, but from the discussions at WPCS, it's tricky to get access to the code that's powering api.wordpress.org, not to mention a testing environment for it.