Make WordPress Core

Opened 7 months ago

Closed 5 months ago

Last modified 5 months ago

#59995 closed defect (bug) (fixed)

Taxonomy: Check for empty term after DB sanitization in wp_insert_term

Reported by: fgiannar's profile fgiannar Owned by: fgiannar's profile fgiannar
Milestone: 6.5 Priority: normal
Severity: major Version:
Component: Taxonomy Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

When inserting a new term in the database, wp_insert_term will check if the term is empty and return a corresponing error.

Afterwards the term is sanitized and inserted in the database. However, there's a chance the term is empty after the DB sanitization.

This is never checked though and will result in 1) empty terms in the DB and 2) possible OOM issues in wp_insert_term when checking if the term name matches an existing one because of using get_terms with an empty name argument

Example: wp_insert_term( '<script>Yo</script>', 'post_tag' );

Change History (5)

This ticket was mentioned in PR #5722 on WordPress/wordpress-develop by fgiannar.


7 months ago
#1

  • Keywords has-patch has-unit-tests added

When inserting a new term in the database, wp_insert_term will check if the term is empty and return a corresponding error.
Afterwards the term is sanitized and inserted in the database. However, there's a chance the term is empty after the DB sanitization.
This is never checked though and will result in 1) empty terms in the DB and 2) possible OOM issues in wp_insert_term when checking if the term name matches an existing one because of using get_terms with an empty name argument

The current PR:

  • Adds a check for empty term name after the term is sanitized and returns an error if the term is empty.
  • Adds a corresponding unit test

#2 in reply to: ↑ description @fgiannar
7 months ago

Replying to fgiannar:

Example: wp_insert_term( '<script>Yo</script>', 'post_tag' );

Example: wp_insert_term( '<script>onclick=alert("hello")</script>', 'post_tag' );

#3 @kraftbj
7 months ago

  • Milestone changed from Awaiting Review to 6.5

#4 @SergeyBiryukov
5 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 57251:

Taxonomy: Check for empty term after DB sanitization in wp_insert_term().

When inserting a new term in the database, wp_insert_term() will check if the term is empty and return a corresponding error.

Afterwards the term is sanitized and inserted in the database. However, there is a chance the term is empty after the DB sanitization.

This commit adds a check for an empty term name after the term is sanitized, returning an error in that case.

Follow-up to [5726], [8393].

Props fgiannar, kraftbj.
Fixes #59995.

@SergeyBiryukov commented on PR #5722:


5 months ago
#5

Thanks for the PR! Merged in r57251.

Note: See TracTickets for help on using tickets.