Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#12281 closed defect (bug) (fixed)

Double Escaped Problem in wp_getComments

Reported by: josephscott's profile josephscott Owned by: josephscott's profile josephscott
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

The XML-RPC method wp.getComments uses the wp_getComment function to gather up the individual comment details. It provides the wp_getComment with the already escaped version of blog_id, username, and password. The wp_getComment function then escapes those values again. This causes a problem if your password happens to have a single quote in it.

We need to pass the original, un-escaped, raw arguments to wp_getComment so that they don't end up escaped twice. I've created a patch that keeps a copy of $args in $raw_args and uses those when calling wp_getComment.

This is definitely a bug so I'd like to see it in 3.0. If we have another 2.9.x release it should probably go in there as well. I'm happy to put together a 2.9.x specific patch if we do that.

Attachments (1)

xmlrpc.php.diff (619 bytes) - added by josephscott 15 years ago.

Download all attachments as: .zip

Change History (5)

#1 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [13208]) Fix double escaping in wp_getComments. Props josephscott. fixes #12281 for 2.9

#2 @ryan
15 years ago

  • Milestone changed from 3.0 to 2.9.3

[13207] for trunk.

#3 @nacin
15 years ago

  • Milestone 2.9.3 deleted

Milestone 2.9.3 deleted

#4 @nacin
15 years ago

  • Milestone set to 3.0
Note: See TracTickets for help on using tickets.