Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#12060 closed defect (bug) (fixed)

Asymmetric Slashing in [12052]

Reported by: miqrogroove Owned by: ryan
Milestone: 2.9.2 Priority: normal
Severity: normal Version: 2.9
Component: Query Keywords:
Focuses: Cc:


Westi changed the string literal

'return trim($a, "\\"\'\\n\\r ");'


return trim($t, "\"\'\n\r ");

These are not syntactically equivalent, and the new version could break future attempts at wildcard escaping.

For example, term\ is prevented, but %term is now unescaped.

Change History (8)

#1 @miqrogroove
8 years ago

Per chat in IRC, MarkJaquith says to patch any instance of LIKE that is not using like_escape() from formatting.php.

I think that can be handled in this same ticket.

#2 @miqrogroove
8 years ago

The obvious candidates so far:

redirect_guess_404_permalink() in canonical.php
check_comment() in comment.php
do_enclose() in functions.php
get_posts() in query.php
wp_delete_attachment() in post.php
wp_post_mime_type_where() in post.php
get_terms() in taxonomy.php

#3 @miqrogroove
8 years ago

I had some success patching the query(LIKE query()) type stuff, but query(LIKE $_GET) is a huge problem. Because of the calls to add_magic_quotes() in wp-settings.php, there is not a clean input path. I would have to use an insane pattern query(LIKE escape(like_escape(query($_GET)))) to recode the slashes after wp-settings runs.

#4 @westi
8 years ago

  • Cc westi added

Thanks for catching this mistake.

I have been through the conversion again and from what I can see the correct argument for trim in the new function is:

"\"'\n\r "

The mistake I made in the conversion was to keep the \ before the single quote.

Do you concur?

#5 @miqrogroove
8 years ago

Yep, as simple as that.

#6 @westi
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12958]) Fix bug in _search_terms_tidy. Fixes #12060 for trunk props miqrogroove.

#7 @westi
8 years ago

(In [12959]) Fix bug in _search_terms_tidy. Fixes #12060 for 2.9 branch props miqrogroove.

#8 @miqrogroove
8 years ago

Very cool. Mark and I are going to take the like_escape() discussion over to #12123 because he wants to change add_magic_quotes() as well.

Note: See TracTickets for help on using tickets.