[4.7] Backport CVE-2020-28032: disable deserialization in Requests_Utility_FilteredIterator#11693
[4.7] Backport CVE-2020-28032: disable deserialization in Requests_Utility_FilteredIterator#11693vulgraph wants to merge 1 commit intoWordPress:4.7from
Conversation
…redIterator Props xknown, peterwilsoncc, desrosj, dd32, whyisjake. Merges [49373] to trunk. git-svn-id: https://develop.svn.wordpress.org/trunk@49382 602fd350-edb4-49c9-b593-d223f7449a82 (cherry picked from commit add6bed)
Trac Ticket MissingThis pull request is missing a link to a Trac ticket. For a contribution to be considered, there must be a corresponding ticket in Trac. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description. More information about contributing to WordPress on GitHub can be found in the Core Handbook. |
|
Hi @vulgraph! 👋 Thank you for your contribution to WordPress! 💖 It looks like this is your first pull request to No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description. Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making. More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook. Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook. If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook. The Developer Hub also documents the various coding standards that are followed:
Thank you, |
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
|
Thanks for the heads-up from the bot. Reading CONTRIBUTING.md more carefully, I see GitHub PRs are not the actual merge path for WordPress core, and a Trac ticket is needed even for review. I couldn't find an existing Trac ticket tracking a 4.7 backport for CVE-2020-28032, so I'll close this to avoid adding noise to your PR queue. If a Trac ticket for the 4.7 backport gets opened later, the cherry-pick I prepared is at vulgraph/wordpress-develop:backport/CVE-2020-28032-4.7 (1 file, 16 lines added, no test changes). Sorry for the round-trip. |
2 participants
WP 4.7 still ships the pre-fix
Requests_Utility_FilteredIterator(nounserialize/__unserialize/__wakeupoverrides). CVE-2020-28032 was patched on trunk by [49373] (commitadd6bedf3a, 2020-10-29) but never reached the 4.7 branch, whichSECURITY.mdlists as still supported.This PR cherry-picks
add6bedf3aonto 4.7, dropping the unrelated test-file change since 4.7tests/phpunit/tests/functions.phphas diverged from trunk. The resulting diff is 16 lines added to one file (src/wp-includes/Requests/Utility/FilteredIterator.php), preserving the original author and(cherry picked from commit add6bedf3a...)trailer.CONTRIBUTING.md says PRs need a corresponding Trac ticket. I can open a Trac ticket for the 4.7 backport if one isn't already tracked.