WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#10656 closed defect (bug) (fixed)

Creating or updating serialized custom field values via XML-RPC serializes them again

Reported by: JonathanRogers Owned by: josephscott
Milestone: 2.9 Priority: high
Severity: normal Version: 2.9
Component: XML-RPC Keywords: has-patch tested
Focuses: Cc:

Description

If one creates or updates a page via XML-RPC and the page has custom fields with values that are PHP serialized strings, they will be silently corrupted by serializing them again. Other strings are unmodified.

Attachments (3)

wordpress_xmlrpc_custom_serialized.patch (2.4 KB) - added by JonathanRogers 5 years ago.
Prevents XML-RPC server from re-serializing custom field values that are already serialized.
wp-test.py (824 bytes) - added by Sewar 4 years ago.
This script could be used to test XML-RPC functions of Wordpress, including post meta.
10656.patch (1.5 KB) - added by Sewar 4 years ago.
Fixes the bug

Download all attachments as: .zip

Change History (8)

JonathanRogers5 years ago

Prevents XML-RPC server from re-serializing custom field values that are already serialized.

comment:1 Sewar4 years ago

  • Cc xsewarx@… added
  • Keywords has-patch tested added
  • Priority changed from normal to high

I have faced the same problem, applied this patch and it worked very well. I will attach a python script that can be used to test this.

Sewar4 years ago

This script could be used to test XML-RPC functions of Wordpress, including post meta.

comment:2 Sewar4 years ago

  • Keywords tested removed

Actually the patch seems not working very well, will do more tests and update later.

Sewar4 years ago

Fixes the bug

comment:3 Sewar4 years ago

  • Keywords tested added
  • Milestone changed from Unassigned to 2.9
  • Version changed from 2.8.4 to 2.9

The bug is in using stripslashes and trim functions which returns strings, so they will convert any value to string (like arrays to "Array"). I have tested it with XML-RPC "metaWeblog.newPost" and worked very well.

comment:4 ryan4 years ago

I think stripslashes_deep() would be appropriate here.

comment:5 automattor4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12336]) Use stripslashes_deep to strip meta values. Props JonathanRogers, Sewar. fixes #10656

Note: See TracTickets for help on using tickets.