users can enter dangerous serialized strings
|Reported by:||random||Owned by:||markjaquith|
Users can enter serialized objects etc. as strings in (e.g.) the "first name" field on the profile page, and these strings aren't necessarily safe to unserialized.
For example, serialized objects run the magic _ _wakeup() function when they're unserialized. If the PDO extension is enabled -- and it is by default in PHP 5 -- you can cause a fatal error with this:
Much worse, you can enter something like:
i.e., an array with 100,000,000 elements. PHP doesn't know they're empty, so it starts eating up memory. In my test it crashed Apache.
Either way, it's a problem. I think it's best to add something to maybe_unserialize(), since just sanitizing input will still leave plugins vulnerable down the road.
I'm not adding a patch since I can only think of hacks like checking for /O:/ or that the number of elements doesn't go over some arbitrary limit. Thoughts?
Maybe a type-hinting field for the setting, so something input as a string isn't unserialized?
Change History (36)
comment:9 markjaquith — 8 years ago
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned
comment:25 markjaquith — 7 years ago
- Milestone changed from 2.1 to 2.0.5
- Resolution fixed deleted
- Status changed from closed to reopened