[wp-trac] [WordPress Trac] #52738: Use of get_object_vars() in sanitize_post() and WP_Post constructor does not handle null byte (was: Use of get_object_vars does not handle null byte)

WordPress Trac noreply at wordpress.org
Thu Sep 29 15:01:32 UTC 2022 

#52738: Use of get_object_vars() in sanitize_post() and WP_Post constructor does
not handle null byte
------------------------------------------+---------------------
 Reporter:  bitcomplex                    |       Owner:  (none)
     Type:  defect (bug)                  |      Status:  new
 Priority:  normal                        |   Milestone:  6.2
Component:  Posts, Post Types             |     Version:  5.6.2
 Severity:  critical                      |  Resolution:
 Keywords:  needs-patch needs-unit-tests  |     Focuses:
------------------------------------------+---------------------
Changes (by SergeyBiryukov):

 * keywords:   => needs-patch needs-unit-tests
 * component:  General => Posts, Post Types
 * milestone:  Awaiting Review => 6.2


Old description:

> In places where get_object_vars is used to loop over an objects
> properties and then trying to access them null bytes are not handled.
>
> There is an old bug-report (from me) for map_deep
> https://core.trac.wordpress.org/ticket/47164 but now we are experience
> this in other places too; in sanitize_post and in the constructor of
> class-wp-post.
>
> This is totally destroying our business and I don't know what to do.
> Since I reported the issue for map_deep I have had to manually patch
> formatting.php every time there is a WordPress update. But now, trying to
> handle all the places get_object_vars is used in hopeless.
>
> Best approach to handle this would be to always filter the return values
> from get_object_vars. Something like:
>
> {{{#!php
> <?php
>     $properties = array_filter( fn( $var ) => ord( $var ) !== 0,
> get_object_vars( $object ));
> }}}

New description:

 In places where get_object_vars is used to loop over an objects properties
 and then trying to access them null bytes are not handled.

 There is an old bug-report (from me) for map_deep #47164 but now we are
 experience this in other places too; in sanitize_post and in the
 constructor of class-wp-post.

 This is totally destroying our business and I don't know what to do. Since
 I reported the issue for map_deep I have had to manually patch
 formatting.php every time there is a WordPress update. But now, trying to
 handle all the places get_object_vars is used in hopeless.

 Best approach to handle this would be to always filter the return values
 from get_object_vars. Something like:

 {{{#!php
 <?php
     $properties = array_filter( fn( $var ) => ord( $var ) !== 0,
 get_object_vars( $object ));
 }}}

--

Comment:

 Hi there, welcome back to WordPress Trac!

 Thanks for the ticket, sorry it took so long for someone to get back to
 you.

 Moving to 6.2 along with #47164 to get more eyes on both tickets and
 hopefully resolve them.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52738#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list