[wp-trac] [WordPress Trac] #48605: add_magic_quotes() inappropriately recasts data types

WordPress Trac noreply at wordpress.org
Fri Nov 22 00:21:04 UTC 2019 

#48605: add_magic_quotes() inappropriately recasts data types
--------------------------+------------------------------
 Reporter:  Veraxus       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:  trunk
 Severity:  major         |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+------------------------------

Comment (by jrf):

 I agree with @Veraxus that this is incorrect behaviour on the part of
 WordPress and should be fixed.


 I've just uploaded two alternative patches for this.

 The first is a plaster on the wound which would fix just the
 `$_SERVER['REQUEST_TIME']` issue. /cc @rarst

 The second is a more structural patch, fixing the `add_magic_quotes()`
 method to behave properly and only apply `addslashes()` to strings, but
 may have more far reaching consequences.

 If the second patch would be considered too "dangerous", the first can be
 applied without real consequences.

 I've done a search for plugins and themes which use the
 `$_SERVER['REQUEST_TIME']` index and reviewed the code in a fair number of
 these.

 Most use it to create timestamped file names for file based caches or
 export files, to create a unique hash or for display.

 None of the code I've seen would be affected by the type change as they
 either:
 * Concatenate the value (which will automatically cast it to a string
 anyway);
 * Use it in a calculation (which would automatically cast it to an int
 anyway);
 * Use `md5()` (which, again, would automatically create a string anyway)
 * Or ''actually expect an int'', as an alternative to `time()` or for use
 in a comparison with `strtotime()` which itself returns an int, though
 they don't do any type checking, so that type of code will also continue
 to work without problems.

 Plugins: https://wpdirectory.net/search/01DT85QH7FM046D4369YHS6X4C
 Themes: https://wpdirectory.net/search/01DT85QSER5DB2VHG2280TZTF5

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48605#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list