[wp-trac] [WordPress Trac] #56832: update_post_meta / get_post_meta data corruption in serialization

[WordPress Trac]

#56832: update_post_meta / get_post_meta data corruption in serialization
--------------------------------+-----------------------------
 Reporter:  loopy255            |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Options, Meta APIs  |    Version:
 Severity:  normal              |   Keywords:
  Focuses:                      |
--------------------------------+-----------------------------
 when storing meta data thrtough update_post_meta and probably others, the
 data gets serialized incorrectly, because of call to wp_unslash.

 Similarly, the deserialization seems to be calling builtin deserialiation
 when it should not.

 Expected behavior is that storing and restoring the state should always
 return the same value. If I save a string I expect the same string to be
 returned. The api supports arbitrary types, so storing any scalar value
 should return the same value.

 Here is a simple test script:

 {{{#!php
 <?php
 $_SERVER["HTTP_HOST"] = "localhost";
 require "/usr/share/webapps/wordpress/wp-load.php";

 function custom_serialization($data) {
         return json_encode($data);
 }

 function custom_deserialization($data) {
         return is_string($data) ? json_decode($data) : '(failed to
 deserialize)';
 }

 $postId = 666;
 $key = "test";
 $data = "[\\ \\ \\ \\&] \\'";

 printf("Builtin-serialization\n");
 printf("-------------------------\n");
 printf("Stored: %s\n", $data);
 update_post_meta($postId, $key, $data);
 $retrieved = get_post_meta($postId, $key);
 printf("Retrieved: %s\n", var_export($retrieved, true));
 printf("Equals: %s\n", var_export($data === $retrieved, true));

 printf("\n");

 printf("Custom-serialization\n");
 printf("-------------------------\n");
 $data = custom_serialization($data);
 printf("Stored: %s\n", $data);
 update_post_meta($postId, $key, $data);
 $retrieved = custom_deserialization(get_post_meta($postId, $key));
 printf("Retrieved: %s\n", var_export($retrieved, true));
 printf("Equals: %s\n", var_export($data === $retrieved, true));
 }}}

 Output:

 {{{
 Builtin-serialization
 -------------------------
 Stored: [\ \ \ \&] \'
 Retrieved: array (
   0 => '[   &] \'',
 )
 Equals: false

 Custom-serialization
 -------------------------
 Stored: "[\\ \\ \\ \\&] \\'"
 Retrieved: '(failed to deserialize)'
 Equals: false
 }}}

 If you need to keep backwards compatiblity for some reason, please at
 least provide a fixed api that can be used to store data reliably.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56832>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform