Make WordPress Core

Opened 17 years ago

Closed 17 years ago

Last modified 16 years ago

#4029 closed defect (bug) (invalid)

maybe_serialize() can do double-serialize

Reported by: takayukister's profile takayukister Owned by:
Milestone: Priority: normal
Severity: major Version: 2.2
Component: General Keywords: has-patch dev-feedback
Focuses: Cc:


I'm not sure if this is a problem, but I'm little confused. When a string argument is passed to maybe_serialize(), it serialize the string even if the string is an object which is already serialized. Is it necessary??

Attachments (2)

maybe_serialize.diff (426 bytes) - added by takayukister 17 years ago.
Serialize if target is *not* serialized.
4029.testcases.diff (2.7 KB) - added by jacobsantos 16 years ago.
Test cases for maybe_serialize()

Download all attachments as: .zip

Change History (13)

17 years ago

Serialize if target is *not* serialized.

#1 @rob1n
17 years ago

  • Keywords dev-feedback added; serialize removed
  • Milestone changed from 2.3 to 2.2
  • Priority changed from low to normal
  • Severity changed from normal to major

Haha, I'm guessing we don't use maybe_serialize at all in the code.

But yes, I'm puzzled too and your patch makes sense.

#2 @ryan
17 years ago

Looks like it's been broken since it was introduce in [4382]. Fix looks good to me.

#3 @ryan
17 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [5102]) Correct reversed logic in maybe_serialize. Props takayukister. fixes #4029

#4 @mdawaffe
17 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

I think the original logic was intentional.

If you want to store a serialized string, you store it as twice serialized so that when you retrieve it, it comes back once serialized.


#5 @masquerade
17 years ago

I believe its intentional also. This way, nobody can fake a serialized string that is an array with a bizzare amount of elements for the sole purpose of crashing PHP and the webserver. I remember this being a bug in the past because you could put a serialized string in some of the options fields and it would be deserialized, meaning you could inject objects/large arrays/etc.

#6 @ryan
17 years ago

But using maybe_serialize() outside the context of options.php could be confusing. You could triple serialize if not careful, yes?

#7 @takayukister
17 years ago

I am sorry but I found that my first patch may cause another problem.

Original maybe_serialize() does not apply serialization to plain (not serialized) string, so there are many plain string values existing in options, postmeta and usermeta tables. My patched maybe_serialize() reverse the behavior and serialize all the plain strings.

If there are codes or plugins that access directly to that tables and expect to get plain string value, they may fail.

I'm sorry for my carelessness. I think it would be good to make another patches if necessary.

#8 @ryan
17 years ago

[5109] reverts.

#9 @markjaquith
17 years ago

  • Milestone 2.2 deleted
  • Resolution set to invalid
  • Status changed from reopened to closed

Intentional. Ensures that input == output (using maybe_unserialize()). Otherwise, as masquerade pointed out, you can enter a serialized array into a string input and get an array as the output. There were documented server-crash scenarios from this.

The other solution was serializing everything, but this makes the options and meta tables really unfriendly.

#10 @hakre
16 years ago

Some questions:

  • who did invent that function maybe_serialize()?
  • where is documented when this function should be used?
  • where is documented why this function has been implemented?

#11 @DD32
16 years ago

where is documented when this function should be used?
where is documented why this function has been implemented?

I'm not sure on either account, However, The use of maybe_serialize()/ maybe_unserialize() functions are used when storing metadata(post, taxonomy, options), It means that a string can be saved as a pure string(unserialised) - which reduces on operations needed, It means that a integer gets straight into the db, it means that an array gets serialized before, etc. maybe_unserialize() does the same, if the input is serialised, it spits out the unserialised version, else lets it pass straight theough

16 years ago

Test cases for maybe_serialize()

Note: See TracTickets for help on using tickets.