Use of get_object_vars() in sanitize_post() and WP_Post constructor does not handle null byte

[bitcomplex]

In places where get_object_vars is used to loop over an objects properties and then trying to access them null bytes are not handled.

There is an old bug-report (from me) for map_deep #47164 but now we are experience this in other places too; in sanitize_post and in the constructor of class-wp-post.

This is totally destroying our business and I don't know what to do. Since I reported the issue for map_deep I have had to manually patch formatting.php every time there is a WordPress update. But now, trying to handle all the places get_object_vars is used in hopeless.

Best approach to handle this would be to always filter the return values from get_object_vars. Something like:

<?php
    $properties = array_filter( fn( $var ) => ord( $var ) !== 0, get_object_vars( $object )); 

[SergeyBiryukov]

#56690 was marked as a duplicate.

[SergeyBiryukov]

Hi there, welcome back to WordPress Trac!

Thanks for the ticket, sorry it took so long for someone to get back to you.

Moving to 6.2 along with #47164 to get more eyes on both tickets and hopefully resolve them.

[cadic]

I've performed a test across various core functions and was able to reproduce the issue with multiple approaches:

<?php
require_once ABSPATH . WPINC . '/class-wp-network.php';
require_once ABSPATH . WPINC . '/class-wp-site.php';

$test_array = array(
        'post_title' => 'Post Title',
        'post_type'  => 'page',
        "\0"         => 'Nullbyte',
);

$test_object = (object) $test_array;

/**
 * Each of these result in a Fatal Error:
 * Cannot access property starting with "\0"
 */
sanitize_post( $test_object );
new WP_Comment( $test_object );
new WP_Network( $test_object );
new WP_Post( $test_object );
new WP_Term( $test_object );
map_deep( $test_object, 'absint' );
new WP_Site( $test_object );

[cadic]

Could be solved by replacing get_object_vars() with a wrapper function

<?php
function wp_get_object_vars( $object ) {
        return array_filter(
                get_object_vars( $object ),
                function( $key ) {
                        return ord( $key ) !== 0;
                },
                ARRAY_FILTER_USE_KEY
        );
}

Trac ticket: https://core.trac.wordpress.org/ticket/52738#comment:4

[mukesh27]

This ticket was discussed during the recent bug scrub. It looks like it's unlikely that work will be done on this during the 6.2 cycle.

needs-testing added as PR need some testing.

[costdev]

This ticket was discussed in the bug scrub and it was agreed to move this ticket to 6.3 and to reduce the severity to normal. Hopefully we'll land this one next cycle.