Make WordPress Core

Opened 2 years ago

Last modified 7 months ago

#47164 new defect (bug)

map_deep in formatting.php do not handle null-byte

Reported by: bitcomplex Owned by:
Milestone: Future Release Priority: normal
Severity: critical Version: 5.2.2
Component: Formatting Keywords: has-patch needs-unit-tests
Focuses: Cc:


foreach ( $object_vars as $property_name => $property_value ) {
        $value->$property_name = map_deep( $property_value, $callback );

The above code snippet in the function map_deep in formatting.php will trigger a fatal error if for some reason $property_name starts with a null-byte. null-bytes can exist in this context if $object_vars for some reason is from an object cast to an array. private and protected properties will be prefixed with null * null

We've encountered it in the wild with serialized objects, and even though this is because of faulty programming (child classes with stricter access for properties than the parents) wordpress should handle this.

The simples solution I can think of id to add:

foreach ( $object_vars as $property_name => $property_value ) {
                        **if (ord($property_name) === 0) {
                        $value->$property_name = map_deep( $property_value, $callback );

Attachments (1)

47164.diff (522 bytes) - added by bitcomplex 23 months ago.

Download all attachments as: .zip

Change History (9)

#1 @bitcomplex
2 years ago

  • Severity changed from normal to critical
  • Version set to 5.2.2

I was pretty sure this was an issue related to a php bug patched in php7.2 ( https://bugs.php.net/bug.php?id=49649 )
But after upgrading to 7.3.7 (from 7.1.x) we get issues with this.

serialized objects fetched from db fails here. It is possible because of the objectes in the db is serialized with an old php version where the bug exists. But wp could handle it better.

Error: Cannot access property started with '\0'
#12 /home/httpd/rackesbutiken/rackesbutiken.se/wp-includes/formatting.php(4742): map_deep
#11 /home/httpd/rackesbutiken/rackesbutiken.se/wp-includes/formatting.php(2691): stripslashes_deep
#10 /home/httpd/rackesbutiken/rackesbutiken.se/wp-includes/formatting.php(5342): wp_unslash
#9 /home/httpd/rackesbutiken/rackesbutiken.se/wp-includes/meta.php(182): update_metadata
#8 /home/httpd/rackesbutiken/rackesbutiken.se/wp-includes/post.php(2061): update_post_meta

#2 @bitcomplex
2 years ago

Even though this is old, it pretty much explains the problem in a short and concise way: https://cweiske.de/tagebuch/php-property-started-nul.htm

#3 @SergeyBiryukov
2 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

Hi @bitcomplex, welcome to WordPress Trac! Thanks for the report.

Just noting that I was able to reproduce the fatal error with this code:

class Dummy {
    public $pub = 0;
    protected $prot = 1;
    private $priv = 2;

$test = (object) (array) new Dummy();
$test = stripslashes_deep( $test );

23 months ago

#4 @bitcomplex
23 months ago

  • Keywords has-patch added; needs-patch removed

#5 @bitcomplex
19 months ago

@SergeyBiryukov what can I do to get this patched? Our site breaks for each wp update that touches formatting.php. It's no joke :(

#6 @bitcomplex
17 months ago

@SergeyBiryukov Another update that changes formatting.php so another ping to you on this issue. I don't know what more I should do...

It's not only in formatting.php this issue can arise, but it's the most severe place.

#7 @bitcomplex
10 months ago

2 years and counting. Still have to manually add the fix for this each time there comes a WordPress update. Any news @SergeyBiryukov ?

#8 @rachelbaker
7 months ago

  • Keywords needs-unit-tests added

Some unit tests would be helpful to move this along.

Last edited 7 months ago by rachelbaker (previous) (diff)
Note: See TracTickets for help on using tickets.