Harden `unserialize()` with `allowed_classes => ['stdClass']` and add override hook by Copilot · Pull Request #230 · wp-cli/search-replace-command

Copilot · 2026-04-27T11:41:19Z

wp search-replace called unserialize() without restricting class instantiation, allowing arbitrary magic methods to execute on data retrieved from the database. This adds ['allowed_classes' => ['stdClass']] as the default, blocking instantiation of arbitrary user-defined classes while still allowing stdClass — a built-in PHP type with no magic methods that WordPress uses extensively for theme mods, widget data, and other serialized options.

Changes

src/WP_CLI/SearchReplacer.php: Passes ['allowed_classes' => ['stdClass']] to unserialize() by default. The value is resolved once per SearchReplacer instance via a new filter hook:
```
WP_CLI::add_hook( 'search_replace_unserialize_options', function() {
    return [ 'allowed_classes' => [ 'stdClass', 'MyPlugin\SafeClass' ] ];
} );
```
features/search-replace.feature:
- Adds a scenario verifying the default behavior blocks user-defined class instantiation and the hook restores it for specific classes. The scenario uses a custom MyClass object stored directly via SQL to demonstrate that custom classes are converted to __PHP_Incomplete_Class by default (warning + 0 replacements), and the hook can allow them (1 replacement).
- Updates the three PHP-version-specific mysqli_result scenarios — previously each PHP version triggered a different error path during object iteration/deserialization; with custom classes blocked by default, mysqli_result is never instantiated on any version, so all three now expect the same "Skipping an uninitialized class" warning and 1 replacement (from the malformed cereal_isation_2 entry which falls through to raw string replacement).

codecov · 2026-04-27T11:49:28Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

…e default Agent-Logs-Url: https://github.com/wp-cli/search-replace-command/sessions/00af441b-87d8-4c9e-83f9-25a04393eb6e Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

…ion scenarios Agent-Logs-Url: https://github.com/wp-cli/search-replace-command/sessions/59e4a42c-8f86-450d-b2b6-ee493abb4b19 Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

…tent Agent-Logs-Url: https://github.com/wp-cli/search-replace-command/sessions/0832cf35-01cd-463e-8334-064918206a6c Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Agent-Logs-Url: https://github.com/wp-cli/search-replace-command/sessions/599c39d4-de3e-4bc3-a371-0e93ec6c6a78 Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Initial plan

ae9766b

Copilot AI assigned Copilot and swissspidy Apr 27, 2026

Copilot started work on behalf of swissspidy April 27, 2026 11:41 View session

Copilot AI linked an issue Apr 27, 2026 that may be closed by this pull request

Add hook to provide allowed_classes for unserialize() usage #229

Open

github-actions Bot added command:search-replace Related to 'search-replace' command scope:testing Related to testing labels Apr 27, 2026

Add search_replace_unserialize_options hook with allowed_classes=fals…

2cdb92b

…e default Agent-Logs-Url: https://github.com/wp-cli/search-replace-command/sessions/00af441b-87d8-4c9e-83f9-25a04393eb6e Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add hook to provide allowed_classes for unserialize usage~~ Harden unserialize() with allowed_classes => false and add override hook Apr 27, 2026

Copilot AI requested a review from swissspidy April 27, 2026 11:51

Copilot finished work on behalf of swissspidy April 27, 2026 11:51