Anatomy of a Critical Security Bug

Is this security bug fixable? Have you ever had that thought and then panicked a little? How do you find the balance of security vs usability? You want a secure site but you also want it to be user-friendly.

In this session, Andrew Nacin walks step by step through how a critical security vulnerability was discovered and then patched using emoji as a trojan horse in WordPress 4.2.

What You’ll Learn

  • What happens when strict mode is off
  • Object injection and PHP serialization for options and meta
  • How to solve the problem that MySQL’s default utf8 character set only stores 3-byte characters
  • Preflight checks
  • Multibyte comment injection