Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#18593 closed defect (bug) (invalid)

WP Object Cache global can be easily hijacked, so some functions return fatal errors

Reported by: wonderboymusic Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3
Component: Cache API Keywords: has-patch
Focuses: Cc:


I noticed this when uploading images in Multisite mode with Memcached WP Object Cache backend installed - cache methods produce fatal errors because the $wp_object_cache global var has been hijacked and the competing class doesn't implement the same methods as the built-in WP cache class

A good long-term solution would be to require any WP Object Cache class to implement the same interface (fat chance), so in the meantime, I have hardened all of the cache functions so they can't call a method that the referenced at runtime WP_Object_Cache class doesn't have

Attachments (1)

harden-cache.diff (2.4 KB) - added by wonderboymusic 4 years ago.
Patch for this ticket

Download all attachments as: .zip

Change History (4)

@wonderboymusic4 years ago

Patch for this ticket

comment:1 follow-up: @dd324 years ago

I would argue that this is part of the life of using "advanced dropins" - to ensure that they're kept up to date when you upgrade core.

All the methods/functions which you've patched here, are ideally, a "core functionality" of the class and are required.. When new functionality is introduced, the best has been done to prevent fataling completely: through the usage of function_exists().

If anything, My only thought here is that dropins should have some kind of update notification - perhaps tied into a plugin, like most caching plugins do.

comment:2 @ryan4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Alternative caches should be using object-cache.php thus avoiding cache.php being loaded at all.

The Memcached and APC backends maintained by myself and Mark do have the same public interfaces as core. Direct access through $wp_object_cache is not public, but we generally try to keep that API in sync too. If there are bugs here, let's fix them in memcached and apc.

Last edited 4 years ago by ryan (previous) (diff)

comment:3 in reply to: ↑ 1 @mikeschinkel3 years ago

  • Cc mikeschinkel@… added

Replying to dd32:

I would argue that this is part of the life of using "advanced dropins" - to ensure that they're kept up to date when you upgrade core.

Related #21412

Note: See TracTickets for help on using tickets.