Right on time and it was a time. We all know about many of the issues WP faces today because its sins from the past and instead to correct them and fix, crew continues towards cosmetic changes for certain cases and in certain time.
Serialization and WordPress
PHP serialization seems to be quite big problem for WordPress from the aspect of security and remains here because of backward compatibility debt. At the moment WordPress instances out there are on thin ice when we speak about serialization, simple and tiny mistake could result with system compromise and attack surface is quite big:
- changing meta values outside
maybe_serializeroutines like here and here
- repetitive usage of
- direct input towards
maybe_unserializein the form of export files or values crunched via search_replace wpcli functionality.
Fix proposal for WordPress
This piece of code should be enough to present the idea on the plastic way towards everyone how this could be solved in appropriate way. There are many reasons for this approach and one of them is backward compatibility, but also there is the performance factor (on big data sets
unserialize beats almost every serialization approaches). From security aspect introduces integrity of the data e.g. makes us sure that data is placed there via system and not from the outside. One of the weaknesses of
serialization is used here as countermeasure.
How to prepare your systems for its usage
Approach is more than easy because could be done even on live environment because backward compatibility is considered in it. Simply loop trough all of the DB columns and every cells pass trough
is_serialized($cell_value, false) and if
true update its value with output from
sign_serialize . That is it, even if you hold the old
unserialize functions, everything will work. Btw in the code there is permissive demo too, where you can monitor what is going on with serialized values on your system — Yes we need filters there in the core!
With only one constant many problems are solved: from wordpress-importer, wp-cli, all of those maintenance plugins, all of the plugins/themes/scripts that meddle with serialized content, but also would prevent future wooops moments in the core.
One way or another, serialization gonna find ya, gonna get ya, get ya
If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).