WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 11 months ago

#19455 closed defect (bug) (wontfix)

The "magic_quotes_sybase" Problem

Reported by: summerblue Owned by: johnbillion
Milestone: Priority: normal
Severity: normal Version:
Component: Bootstrap/Load Keywords: needs-patch needs-unit-tests
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Post A Post, titled (in the double quote) : "Charlie's little cat"

It will become (in the double quote) : "Charlie''s little cat"

Notice that, single quote become double quotes!!

YES , My 'magic_quotes_gpc' and 'magic_quotes_sybase' are enabled!

Here is The PHP.NET links: http://php.net/manual/en/security.magicquotes.disabling.php

Attachments (5)

magic_quotes_sybase.png (2.4 KB) - added by summerblue 7 years ago.
19455.patch (921 bytes) - added by kurtpayne 6 years ago.
19455.2.patch (932 bytes) - added by chriscct7 3 years ago.
19455.2-tests.patch (2.0 KB) - added by lucatume 3 years ago.
Unit tests first draft
19455.2-tests.2.patch (2.4 KB) - added by lucatume 3 years ago.
Modified version of the tests to set ini settings before each

Download all attachments as: .zip

Change History (25)

#1 @ryan
7 years ago

Related: r18549

#2 @SergeyBiryukov
7 years ago

  • Description modified (diff)

#3 @summerblue
7 years ago

Here is the solution :

Remove the line below, it's in the "wp-settings.php" Line 33. It's in the wrong position!

@ini_set( 'magic_quotes_sybase', 0 );

And then, in the "wp-includes/load.php", in The function "wp_magic_quotes()" add the code below, immediately after "if ( get_magic_quotes_gpc() ) {}"

function wp_magic_quotes() {
	// If already slashed, strip.
	if ( get_magic_quotes_gpc() ) {
		$_GET    = stripslashes_deep( $_GET    );
		$_POST   = stripslashes_deep( $_POST   );
		$_COOKIE = stripslashes_deep( $_COOKIE );
	}

	// Put it right here can solve the Problem. 
	// Just Mack sure turn of action is Occur after the "stripslashes_deep" action has done.
	if(ini_get('magic_quotes_sybase') && function_exists('ini_set')) {
		ini_set( 'magic_quotes_sybase', 0 );
	}
	
	// Escape with wpdb
	$_GET    = add_magic_quotes( $_GET    );
	$_POST   = add_magic_quotes( $_POST   );
	$_COOKIE = add_magic_quotes( $_COOKIE );
	$_SERVER = add_magic_quotes( $_SERVER );

	// Force REQUEST to be GET + POST
	$_REQUEST = array_merge( $_GET, $_POST );
}
}

#5 @kurtpayne
6 years ago

  • Cc kpayne@… added

I can reproduce this. Here's what's happening:

  1. $_POST comes in with sybase quotes (e.g. Charlie''s little cat)
  2. magic_quotes_sybase is disabled
  3. stripslashes() is run on $_POST which respects sybase quotes settings.
    1. With sybase quotes disabled (current behavior), stripslashes is looking for \' instead of '' and this is not converted correctly.
    2. With sybase quotes still enabled (@summerblue's solution), stripslashes is looking for '', and the input is converted properly (e.g. Charlie''s -> Charlie's), then magic_quotes_sybase is disabled

I tested this solution on all possible combinations of magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase with no problems.

@kurtpayne
6 years ago

#6 @SergeyBiryukov
6 years ago

  • Keywords has-patch added

#7 @nacin
4 years ago

  • Component changed from General to Bootstrap/Load

@chriscct7
3 years ago

#8 @chriscct7
3 years ago

  • Milestone changed from Awaiting Review to 4.4

Refreshed patch

#9 @DrewAPicture
3 years ago

  • Owner changed from 夏天 to pento
  • Status changed from new to assigned

#10 @pento
3 years ago

  • Keywords needs-unit-tests added
  • Owner pento deleted

I'm cool with committing this, if it has some unit tests.

#11 @wonderboymusic
3 years ago

  • Keywords close added

I can't reproduce this - does anyone have definitive steps?

#12 @lucatume
3 years ago

I've added a first unit tests draft for the patch and am open to suggestions about extension and modifications.

@lucatume
3 years ago

Unit tests first draft

#13 @johnbillion
3 years ago

  • Keywords has-unit-tests added; needs-unit-tests close removed

Working on this at WordPress Contributor Day Milan. We've realised that this requires PHP < 5.4 and magic_quotes_sybase to be enabled.

Using phpbrew we've reproduced the problem. @lucatume is working on updated tests.

#14 @lucatume
3 years ago

Here is the modified version of the tests that's taking care of setting the magic_quotes_sybase to 1 before running the tests.

Contribution made during 11/7 Contributor Day in Milan, Italy.

@lucatume
3 years ago

Modified version of the tests to set ini settings before each

#15 @wonderboymusic
3 years ago

  • Owner set to johnbillion

#16 @johnbillion
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 35639:

On servers running PHP <= 5.4 which have magic_quotes_sybase enabled, the superglobals need to be magic-quoted before magic_quotes_sybase is subsequently disabled to avoid incorrect un-slashing. This must surely effect a miniscule number of servers, but so be it.

Fixes #19455
Props summerblue, kurtpayne, lucatume

#17 @johnbillion
3 years ago

  • Keywords needs-patch needs-unit-tests added; has-patch has-unit-tests removed
  • Resolution fixed deleted
  • Status changed from closed to reopened
  • Version 3.2.1 deleted

#18 @johnbillion
3 years ago

In 35641:

Revert [35639] pending investigation into failures on PHP 5.2.

See #19455

#19 @johnbillion
3 years ago

  • Milestone changed from 4.4 to Future Release

I'm getting a bunch of build errors when trying to install PHP 5.2 with phpbrew, so this will have to be punted for now.

#20 @johnbillion
11 months ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.