[wp-trac] [WordPress Trac] #33591: Media File Missing Length Causes Wordpress Atom Feed to Be Invalid

WordPress Trac noreply at wordpress.org
Fri Aug 28 21:14:58 UTC 2015


#33591: Media File Missing Length Causes Wordpress Atom Feed to Be Invalid
----------------------------+-----------------------------
 Reporter:  jonnybot        |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Feeds           |    Version:  4.2.4
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 In wp-includes\feed.php, the atom_enclosure() function can produce invalid
 XML, which will break some feed readers and XML parsers that might digest
 the feed. This happens when the get_post_custom() function returns data
 that doesn't include all the metadata that it ought to for a given
 enclosure.

 This line-

 {{{$enclosure = explode("\n", $enc);}}}

 ...creates an array by splitting the enclosure meta information on newline
 characters ("\n"). Then, this line:
 {{{
 echo apply_filters( 'atom_enclosure', '<link href="' . trim(
 htmlspecialchars( $enclosure[0] ) ) . '" rel="enclosure" length="' . trim(
 $enclosure[1] ) . '" type="' . trim( $enclosure[2] ) . '" />' . "\n" );
 }}}

 ...assumes that the url will be at position 0 in the array, the length in
 position 1, and the type in position 2.

 If the length line is simply missing, as is the case for a particular post
 I have on my blog, then the next line in the metadata is some kind of
 configuration data that looks something like this:
 {{{
 a:1:{s:8:"duration";s:8:"00:05:29";}" }
 }}}

 This breaks the feed in a couple of ways. First, because the length
 attribute is missing from the metadata, the length attribute of the
 resulting link tag will read "audio/mpeg" (or whatever type of file it
 is).

 Second, it tries to put a type that contains quotes, which ends the
 attribute's value early and creates a broken link tag.

 {{{
 <link href="http://myblog.com/wp-content/uploads/2015/03/media.mp3"
 rel="enclosure" length="audio/mpeg"
 type="a:1:{s:8:"duration";s:8:"00:05:20";}" />
 }}}

 The broken link tag will break some feed readers and other XML parsers
 that are pointed at the blog's ATOM feed.

 The same issue may also affect the rss_enclosure function in feed.php,
 though I haven't tested it for that case.

 I'm not sure whether the more important bug bug is that that the ATOM feed
 breaks if the length is missing, or if the bug is, "Hey, the length meta
 data is missing for this object, how did THAT happen?"

 Still, it would seem that the assumption that the length will be at the
 second (or 1th) position in the array is not a safe one. At the very
 least, it might be good to encode the output so that double quotes from
 the metadata don't break the XML of the feed?

 Also, any pointers on sleuthing out why the metadata is missing would be
 much appreciated.

 At the very least, it seems prudent to wrap the length (contents of
 {{{$enclosure[1]}}}) and the type ({{{$enclosure[2]}}}) in the
 htmlspecialchars() function, the same way the href attribute is.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33591>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list