#4029 closed defect (bug) (invalid)
maybe_serialize() can do double-serialize
Reported by: | takayukister | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 2.2 |
Component: | General | Keywords: | has-patch dev-feedback |
Focuses: | Cc: |
Description
I'm not sure if this is a problem, but I'm little confused. When a string argument is passed to maybe_serialize(), it serialize the string even if the string is an object which is already serialized. Is it necessary??
Attachments (2)
Change History (13)
#1
@
18 years ago
- Keywords dev-feedback added; serialize removed
- Milestone changed from 2.3 to 2.2
- Priority changed from low to normal
- Severity changed from normal to major
Haha, I'm guessing we don't use maybe_serialize at all in the code.
But yes, I'm puzzled too and your patch makes sense.
#2
@
18 years ago
Looks like it's been broken since it was introduce in [4382]. Fix looks good to me.
#4
@
18 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
I think the original logic was intentional.
If you want to store a serialized string, you store it as twice serialized so that when you retrieve it, it comes back once serialized.
MarkJaquith?
#5
@
18 years ago
I believe its intentional also. This way, nobody can fake a serialized string that is an array with a bizzare amount of elements for the sole purpose of crashing PHP and the webserver. I remember this being a bug in the past because you could put a serialized string in some of the options fields and it would be deserialized, meaning you could inject objects/large arrays/etc.
#6
@
18 years ago
But using maybe_serialize() outside the context of options.php could be confusing. You could triple serialize if not careful, yes?
#7
@
18 years ago
I am sorry but I found that my first patch may cause another problem.
Original maybe_serialize() does not apply serialization to plain (not serialized) string, so there are many plain string values existing in options, postmeta and usermeta tables. My patched maybe_serialize() reverse the behavior and serialize all the plain strings.
If there are codes or plugins that access directly to that tables and expect to get plain string value, they may fail.
I'm sorry for my carelessness. I think it would be good to make another patches if necessary.
#9
@
18 years ago
- Milestone 2.2 deleted
- Resolution set to invalid
- Status changed from reopened to closed
Intentional. Ensures that input == output (using maybe_unserialize()
). Otherwise, as masquerade pointed out, you can enter a serialized array into a string input and get an array as the output. There were documented server-crash scenarios from this.
The other solution was serializing everything, but this makes the options and meta tables really unfriendly.
#10
@
17 years ago
Some questions:
- who did invent that function maybe_serialize()?
- where is documented when this function should be used?
- where is documented why this function has been implemented?
#11
@
17 years ago
where is documented when this function should be used?
where is documented why this function has been implemented?
I'm not sure on either account, However, The use of maybe_serialize()/ maybe_unserialize() functions are used when storing metadata(post, taxonomy, options), It means that a string can be saved as a pure string(unserialised) - which reduces on operations needed, It means that a integer gets straight into the db, it means that an array gets serialized before, etc. maybe_unserialize() does the same, if the input is serialised, it spits out the unserialised version, else lets it pass straight theough
Serialize if target is *not* serialized.