Opened 3 years ago
Last modified 7 months ago
#52738 new defect (bug)
Use of get_object_vars() in sanitize_post() and WP_Post constructor does not handle null byte — at Version 2
Reported by: | bitcomplex | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.6.2 |
Component: | Posts, Post Types | Keywords: | has-patch has-unit-tests needs-testing changes-requested |
Focuses: | Cc: |
Description (last modified by )
In places where get_object_vars is used to loop over an objects properties and then trying to access them null bytes are not handled.
There is an old bug-report (from me) for map_deep #47164 but now we are experience this in other places too; in sanitize_post and in the constructor of class-wp-post.
This is totally destroying our business and I don't know what to do. Since I reported the issue for map_deep I have had to manually patch formatting.php every time there is a WordPress update. But now, trying to handle all the places get_object_vars is used in hopeless.
Best approach to handle this would be to always filter the return values from get_object_vars. Something like:
<?php $properties = array_filter( fn( $var ) => ord( $var ) !== 0, get_object_vars( $object ));
Change History (2)
#2
@
19 months ago
- Component changed from General to Posts, Post Types
- Description modified (diff)
- Keywords needs-patch needs-unit-tests added
- Milestone changed from Awaiting Review to 6.2
- Summary changed from Use of get_object_vars does not handle null byte to Use of get_object_vars() in sanitize_post() and WP_Post constructor does not handle null byte
Hi there, welcome back to WordPress Trac!
Thanks for the ticket, sorry it took so long for someone to get back to you.
Moving to 6.2 along with #47164 to get more eyes on both tickets and hopefully resolve them.
#56690 was marked as a duplicate.