[wp-trac] [WordPress Trac] #40716: WordPress's magic quotes emulation doesn't slash keys like PHP's built-in magic quotes

WordPress Trac noreply at wordpress.org
Wed May 10 14:56:50 UTC 2017 

#40716: WordPress's magic quotes emulation doesn't slash keys like PHP's built-in
magic quotes
--------------------------+-----------------------------
 Reporter:  jdgrimes      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  0.71
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 PHP's built-in magic quotes feature
 [https://secure.php.net/manual/en/security.magicquotes.disabling.php#69024
 not only slashed values, but also keys]. However, although WordPress
 emulates the magic quotes feature even when it is disabled/unavailable, it
 has apparently never slashed keys of the GPC arrays, only the values.

 As a consequence of this, I was just dealing with a bug in a plugin that a
 user was experiencing on PHP 5.2, but I had never witnessed on newer
 versions of PHP (5.6, 7.0), which did not have magic quotes enabled.

 The plugin POSTs data via Ajax that includes both keys and values
 containing backslashes. This data will be double-slashed by the magic
 quotes feature. So in the Ajax handler, this data is passed through
 `wp_unslash()`, and so the original, single-slashed values can then be
 utilized. However, `wp_unslash()` does not unslash the keys. When PHP's
 magic quotes are disabled, this is not a problem, because WordPress's
 magic quotes do not slash keys. But on older versions of PHP where magic
 quotes are enabled by default, PHP will slash both the keys and values,
 and `wp_unslash()` will not unslash the keys.


 Data flow:

 {{{
 # WordPress's magic quotes emulation:

 POST               => Data containing slashes in keys and values posted.
 add_magic_quotes() => Slashes in values are escaped.
 wp_unslash()       => Escaping slashes in values removed.

 result: data is unchanged.

 ---

 # PHP's magic quotes:

 POST             => Data containing slashes in keys and values posted.
 magic_quotes_gpc => Slashes in values *and keys* escaped.
 wp_unslash()     => Escaping slashes in values removed.

 result: values unchanged, keys still double-slashed.

 }}}

 In other words, there is an inconsistency in how data is slashes on
 different PHP configurations, despite WordPress's efforts to standardize
 it. The values are consistent in the way that they are slashed, but keys
 are not.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40716>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list