[wp-trac] [WordPress Trac] #22936: XML-RPC WordPress api setOption double escapes args (was: XML-RPC Wordpress api setOption double escapes args)

WordPress Trac noreply at wordpress.org
Sat Dec 15 04:13:29 UTC 2012


#22936: XML-RPC WordPress api setOption double escapes args
--------------------------+------------------------------
 Reporter:  jachzen       |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  XML-RPC       |     Version:
 Severity:  major         |  Resolution:
 Keywords:  has-patch     |
--------------------------+------------------------------
Changes (by SergeyBiryukov):

 * severity:  blocker => major


Old description:

> Parts of the xml-rpc wordpress api are not usable, as they doublequote
> strings. e.g. "Munich's" becomes "Munich\\'s".
>
> wp.setOptions($args) escpapes all args and calls update_option() which is
> then calling mysql_real_escape_string(), leading to a double escaping. To
> solve this options should not be escaped in wp-setOptions() function.
>

> Here the callStack showing the 2nd escaping:
> wp-includes/wp-db.php.wpdb->_real_escape:884
> wp-includes/wp-db.php.wpdb->escape_by_ref:950
> wp-includes/wp-db.php.array_walk:0
> wp-includes/wp-db.php.wpdb->prepare:1003
> wp-includes/wp-db.php.wpdb->update:1365
> wp-includes/option.php.update_option:258

New description:

 Parts of the xml-rpc wordpress api are not usable, as they doublequote
 strings. e.g. `Munich's` becomes `Munich\\'s`.

 wp.setOptions($args) escpapes all args and calls update_option() which is
 then calling mysql_real_escape_string(), leading to a double escaping. To
 solve this options should not be escaped in wp-setOptions() function.


 Here the callStack showing the 2nd escaping:
 {{{
 wp-includes/wp-db.php.wpdb->_real_escape:884
 wp-includes/wp-db.php.wpdb->escape_by_ref:950
 wp-includes/wp-db.php.array_walk:0
 wp-includes/wp-db.php.wpdb->prepare:1003
 wp-includes/wp-db.php.wpdb->update:1365
 wp-includes/option.php.update_option:258
 }}}

--

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/22936#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list