[wp-trac] [WordPress Trac] #12302: add_metadata() Fails to Validate Inputs Before Serializing Them

WordPress Trac wp-trac at lists.automattic.com
Sat Feb 20 10:52:16 UTC 2010


#12302: add_metadata() Fails to Validate Inputs Before Serializing Them
--------------------------+-------------------------------------------------
 Reporter:  miqrogroove   |       Owner:  ryan
     Type:  defect (bug)  |      Status:  new 
 Priority:  high          |   Milestone:  3.0 
Component:  Database      |     Version:      
 Severity:  critical      |    Keywords:      
--------------------------+-------------------------------------------------
 Symptoms:

 WordPress stores corrupt values in post_metadata if there are any non-
 UTF-8 bytes in the meta_value.

 Steps to reproduce:

 Call add_metadata() with non-UTF-8 values such as a latin-1 copyright
 char.

 Even though the serialized string goes through prepare() before the query,
 MySQL is required to truncate the invalid value being assigned to the
 meta_value field.  The result is that the stored value can never be un-
 serialized.

 This behavior can also be replicated by trying to inject CHAR(169) into
 any UTF-8 table query.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12302>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list