[wp-trac] [WordPress Trac] #26829: Use of strpos() in extract_from_markers() and insert_with_markers() can target wrong BEGIN and END markers.

WordPress Trac noreply at wordpress.org
Tue Jan 14 06:16:21 UTC 2014 

#26829: Use of strpos() in extract_from_markers() and insert_with_markers() can
target wrong BEGIN and END markers.
--------------------------+-----------------------------
 Reporter:  Faison        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 While working on a plugin, I came across the need to have two sections of
 `BEGIN` and `END` markers in the `.htaccess` file. The most important
 marker section is located at the end of the file with the marker `"e3r"`,
 while the second marker section is at the beginning of the file with the
 marker `"e3r_query_redirects"`. Now when I call `extract_from_markers`
 while passing `"e3r"` as the marker, the contents between the
 `"e3r_query_redirects"` markers are returned.

 Here are steps you can take to see this issue with the function
 `insert_with_markers()`:
 1. Open the `.htaccess` file
 2. Add `# BEGIN WordPress_Foo` to the top of the file, add a couple of
 newlines, and add `# END WordPress_Foo`
 3. Save the `.htaccess` file and close it
 4. Log into the WordPress Dashboard and navigate to '''Settings''' ->
 '''Permalinks'''
 5. Press the '''Save Changes''' Button
 6. Reopen the `.htaccess` file
 7. Notice that the marker section originally labeled `WordPress_Foo` is
 now a duplicate `WordPress` marker section

 You can continue to repeat those steps to generate more duplicate
 `WordPress` marker sections.

 This issue is caused by the use of the `strpos()` function, which looks
 for the position of a substring in a string. So when you have a marker
 section labeled `WordPress_Foo` above the section labeled `WordPress`, the
 `WordPress_Foo` section is found by `strpos()`, which stops the
 `WordPress` section from being found.

 I already wrote a solution that has worked for me so far and I'm including
 a diff file with the changes. Basically, instead of using the function
 `strpos()`, which looks for the position of a substring and causes the
 aforementioned bug, I use the following statement: `if ( "# BEGIN
 {$marker}" === $markerline )`.

 Since this is my first patch to core, I would definitely appreciate all
 feedback :)

 Thanks,
 Faison

--
Ticket URL: <https://core.trac.wordpress.org/ticket/26829>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list