add_metadata() Fails to Store Serialized Values as BINARY
|Reported by:||miqrogroove||Owned by:||ryan|
WordPress stores corrupt values in post_metadata if there are any non-UTF-8 bytes in the meta_value.
Steps to reproduce:
Call add_metadata() with non-UTF-8 values such as a latin-1 copyright char.
Even though the serialized string goes through prepare() before the query, MySQL is required to truncate the invalid value being assigned to the meta_value field. The result is that the stored value can never be un-serialized.
This behavior can also be replicated by trying to inject CHAR(169) into any UTF-8 table query.
Change History (7)
comment:1 miqrogroove — 4 years ago
- Summary changed from add_metadata() Fails to Validate Inputs Before Serializing Them to add_metadata() Fails to Store Serialized Values as BINARY
- Keywords needs-patch added
- Milestone changed from 3.0 to Future Release
- Keywords close added
- Priority changed from high to normal
- Severity changed from critical to normal
- Version set to 3.0
- Milestone Future Release deleted
- Resolution set to wontfix
- Status changed from new to closed