#12060 closed defect (bug) (fixed)
Asymmetric Slashing in [12052]
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 2.9.2 |
| Component: | Query | Version: | 2.9 |
| Severity: | normal | Keywords: | |
| Cc: | westi |
Description
Westi changed the string literal
'return trim($a, "\\"\'\\n\\r ");'
to
return trim($t, "\"\'\n\r ");
These are not syntactically equivalent, and the new version could break future attempts at wildcard escaping.
For example, term\ is prevented, but %term is now unescaped.
Change History (8)
comment:1
miqrogroove — 3 years ago
comment:2
miqrogroove — 3 years ago
The obvious candidates so far:
redirect_guess_404_permalink() in canonical.php
check_comment() in comment.php
do_enclose() in functions.php
get_posts() in query.php
wp_delete_attachment() in post.php
wp_post_mime_type_where() in post.php
get_terms() in taxonomy.php
comment:3
miqrogroove — 3 years ago
I had some success patching the query(LIKE query()) type stuff, but query(LIKE $_GET) is a huge problem. Because of the calls to add_magic_quotes() in wp-settings.php, there is not a clean input path. I would have to use an insane pattern query(LIKE escape(like_escape(query($_GET)))) to recode the slashes after wp-settings runs.
- Cc westi added
Thanks for catching this mistake.
I have been through the conversion again and from what I can see the correct argument for trim in the new function is:
"\"'\n\r "
The mistake I made in the conversion was to keep the \ before the single quote.
Do you concur?
comment:5
miqrogroove — 3 years ago
Yep, as simple as that.
- Resolution set to fixed
- Status changed from new to closed
comment:8
miqrogroove — 3 years ago
Very cool. Mark and I are going to take the like_escape() discussion over to #12123 because he wants to change add_magic_quotes() as well.
Per chat in IRC, MarkJaquith says to patch any instance of LIKE that is not using like_escape() from formatting.php.
I think that can be handled in this same ticket.