[wp-trac] [WordPress Trac] #12302: add_metadata() Fails to Validate Inputs Before Serializing Them
WordPress Trac
wp-trac at lists.automattic.com
Sat Feb 20 10:52:16 UTC 2010
#12302: add_metadata() Fails to Validate Inputs Before Serializing Them
--------------------------+-------------------------------------------------
Reporter: miqrogroove | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.0
Component: Database | Version:
Severity: critical | Keywords:
--------------------------+-------------------------------------------------
Symptoms:
WordPress stores corrupt values in post_metadata if there are any non-
UTF-8 bytes in the meta_value.
Steps to reproduce:
Call add_metadata() with non-UTF-8 values such as a latin-1 copyright
char.
Even though the serialized string goes through prepare() before the query,
MySQL is required to truncate the invalid value being assigned to the
meta_value field. The result is that the stored value can never be un-
serialized.
This behavior can also be replicated by trying to inject CHAR(169) into
any UTF-8 table query.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12302>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list