Make WordPress Core

Opened 2 years ago

Last modified 3 months ago

#52738 new defect (bug)

Use of get_object_vars() in sanitize_post() and WP_Post constructor does not handle null byte

Reported by: bitcomplex's profile bitcomplex Owned by:
Milestone: 6.3 Priority: normal
Severity: normal Version: 5.6.2
Component: Posts, Post Types Keywords: has-patch has-unit-tests needs-testing
Focuses: Cc:

Description (last modified by SergeyBiryukov)

In places where get_object_vars is used to loop over an objects properties and then trying to access them null bytes are not handled.

There is an old bug-report (from me) for map_deep #47164 but now we are experience this in other places too; in sanitize_post and in the constructor of class-wp-post.

This is totally destroying our business and I don't know what to do. Since I reported the issue for map_deep I have had to manually patch formatting.php every time there is a WordPress update. But now, trying to handle all the places get_object_vars is used in hopeless.

Best approach to handle this would be to always filter the return values from get_object_vars. Something like:

    $properties = array_filter( fn( $var ) => ord( $var ) !== 0, get_object_vars( $object )); 

Change History (10)

#1 @SergeyBiryukov
8 months ago

#56690 was marked as a duplicate.

#2 @SergeyBiryukov
8 months ago

  • Component changed from General to Posts, Post Types
  • Description modified (diff)
  • Keywords needs-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to 6.2
  • Summary changed from Use of get_object_vars does not handle null byte to Use of get_object_vars() in sanitize_post() and WP_Post constructor does not handle null byte

Hi there, welcome back to WordPress Trac!

Thanks for the ticket, sorry it took so long for someone to get back to you.

Moving to 6.2 along with #47164 to get more eyes on both tickets and hopefully resolve them.

#3 @cadic
7 months ago

I've performed a test across various core functions and was able to reproduce the issue with multiple approaches:

require_once ABSPATH . WPINC . '/class-wp-network.php';
require_once ABSPATH . WPINC . '/class-wp-site.php';

$test_array = array(
        'post_title' => 'Post Title',
        'post_type'  => 'page',
        "\0"         => 'Nullbyte',

$test_object = (object) $test_array;

 * Each of these result in a Fatal Error:
 * Cannot access property starting with "\0"
sanitize_post( $test_object );
new WP_Comment( $test_object );
new WP_Network( $test_object );
new WP_Post( $test_object );
new WP_Term( $test_object );
map_deep( $test_object, 'absint' );
new WP_Site( $test_object );

#4 @cadic
7 months ago

Could be solved by replacing get_object_vars() with a wrapper function

function wp_get_object_vars( $object ) {
        return array_filter(
                get_object_vars( $object ),
                function( $key ) {
                        return ord( $key ) !== 0;
Last edited 7 months ago by cadic (previous) (diff)

This ticket was mentioned in PR #3607 on WordPress/wordpress-develop by @cadic.

7 months ago

  • Keywords has-patch has-unit-tests added; needs-patch needs-unit-tests removed

This ticket was mentioned in Slack in #core by mukeshpanchal27. View the logs.

3 months ago

#7 @mukesh27
3 months ago

  • Keywords needs-testing added

This ticket was discussed during the recent bug scrub. It looks like it's unlikely that work will be done on this during the 6.2 cycle.

needs-testing added as PR need some testing.

This ticket was mentioned in Slack in #core-test by robinwpdeveloper. View the logs.

3 months ago

This ticket was mentioned in Slack in #core by costdev. View the logs.

3 months ago

#10 @costdev
3 months ago

  • Milestone changed from 6.2 to 6.3
  • Severity changed from critical to normal

This ticket was discussed in the bug scrub and it was agreed to move this ticket to 6.3 and to reduce the severity to normal. Hopefully we'll land this one next cycle.

Note: See TracTickets for help on using tickets.