Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#35408 closed defect (bug) (fixed)

Side effect wp_create_post_autosave causes $_POST to be unslashed

Reported by: joehoyle Owned by: joehoyle
Milestone: 4.5 Priority: normal
Severity: normal Version: 2.6
Component: Autosave Keywords: has-patch needs-unit-tests
Focuses: Cc:


For some reason (explanation welcome) wp_create_post_autosave assigns it's data to $_POST by reference, in the case of a post auto draft for the revision not already existing, $post_data is passed to wp_unslash in preparing it for _wp_put_post_revision (as _wp_put_post_revision expects unslashed data). This has the nasty side effect of $_POST now being unslashed, when plugins (and other areas of WP) always expect the $_POST superglobal to have slashed data.

I don't know the original reasoning behind passing assigning by reference, it appears to have been introduced in the autosave refactor in https://github.com/WordPress/WordPress/commit/335add2573fd1a2f84071be441d24a053eff8933#diff-c3d5c535db5622f3b0242411ee5f9dfdR1346

I'd like to get some tests for this, however these functions are wrought with superglobals so I'm not sure how easy that will be.

Attachments (1)

35408.diff (461 bytes) - added by joehoyle 6 years ago.

Download all attachments as: .zip

Change History (5)

6 years ago

#1 @joehoyle
6 years ago

  • Owner set to joehoyle
  • Status changed from new to assigned

This ticket was mentioned in Slack in #core by joehoyle. View the logs.

6 years ago

#3 @azaozz
6 years ago

Stripping slashes from the whole $_POST was introduced in r11117 for 2.8 (7 years ago). Don't think that fix for #9433 is still needed but a bit more investigation is in order.

Version 0, edited 6 years ago by azaozz (next)

#4 @azaozz
6 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 36543:

Do not strip slashes from the whole &_POST when doing autosaves.

Props joehoyle.
Fixes #35408.

Note: See TracTickets for help on using tickets.