[wp-trac] [WordPress Trac] #41925: Bring back, support and document %1$s support in wpdb->prepare
WordPress Trac
noreply at wordpress.org
Wed Sep 20 18:19:40 UTC 2017
#41925: Bring back, support and document %1$s support in wpdb->prepare
-------------------------+----------------------
Reporter: soulseekah | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Database | Version:
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
-------------------------+----------------------
Changes (by aaroncampbell):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
Hey @soulseekah,
I can appreciate the desire to have numbered placeholders in
`wpdb::prepare()`. They're definitely my preference for `sprintf()` et al.
Unfortunately, even after spending a lot of time on this, the security
team wasn't able to find a way to keep them around and also fix the
security issue, without basically writing an SQL parser. The more complex
the parser got, the more likely there were additional edge cases that
would cause problems.
I ran your patch against some test cases I have from when we were working
on this issue, and unfortunately it re-introduces the vulnerability that
was closed with this change. Enforcing the simple subset of `%s`, `%F`,
and `%d` allows us to make `wpdb::prepare()` safe and effective, which is
it's main purpose.
Thanks,
Aaron
WordPress Security Team Lead
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41925#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list