Opened 3 years ago

Last modified 3 years ago

#12302 new defect (bug)

add_metadata() Fails to Store Serialized Values as BINARY

Reported by: miqrogroove Owned by: ryan
Priority: high Milestone: Future Release
Component: Database Version:
Severity: critical Keywords: needs-patch
Cc:

Description

Symptoms:

WordPress stores corrupt values in post_metadata if there are any non-UTF-8 bytes in the meta_value.

Steps to reproduce:

Call add_metadata() with non-UTF-8 values such as a latin-1 copyright char.

Even though the serialized string goes through prepare() before the query, MySQL is required to truncate the invalid value being assigned to the meta_value field. The result is that the stored value can never be un-serialized.

This behavior can also be replicated by trying to inject CHAR(169) into any UTF-8 table query.

Change History (4)

comment:1   miqrogroove3 years ago

  • Summary changed from add_metadata() Fails to Validate Inputs Before Serializing Them to add_metadata() Fails to Store Serialized Values as BINARY

comment:2   miqrogroove3 years ago

After giving this some thought, I've come to the conclusions:

  1. Post metas are not binary-safe.
  1. There is no way to make them binary-safe without converting all existing values to a proper binary column.

comment:3   Denis-de-Bernardy3 years ago

similar bugs referenced here: #9549

comment:4   dd323 years ago

  • Keywords needs-patch added
  • Milestone changed from 3.0 to Future Release

Shifting to Future release pending patch, Too close to release to be changing anything related to the Schema anyway.

Note: See TracTickets for help on using tickets.