From b32cf6875f1b005da4a2f6b6244b176e67d3e956 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 15 Nov 2015 22:59:51 +0000 Subject: [PATCH] On servers running PHP <= 5.4 which have `magic_quotes_sybase` enabled, the superglobals need to be magic-quoted before `magic_quotes_sybase` is subsequently disabled to avoid incorrect un-slashing. This must surely effect a miniscule number of servers, but so be it. Fixes #19455 Props summerblue, kurtpayne, lucatume git-svn-id: https://develop.svn.wordpress.org/trunk@35639 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/load.php | 3 ++ src/wp-settings.php | 1 - tests/phpunit/tests/load.php | 91 ++++++++++++++++++++++++++++++++++++ 3 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 tests/phpunit/tests/load.php diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php index 1275acad37..70b748691f 100644 --- a/src/wp-includes/load.php +++ b/src/wp-includes/load.php @@ -603,6 +603,9 @@ function wp_magic_quotes() { $_COOKIE = stripslashes_deep( $_COOKIE ); } + // Turn off sybase quoting after stripslashes has run + @ini_set( 'magic_quotes_sybase', 0 ); + // Escape with wpdb. $_GET = add_magic_quotes( $_GET ); $_POST = add_magic_quotes( $_POST ); diff --git a/src/wp-settings.php b/src/wp-settings.php index 1c5da84923..bb2043e43a 100644 --- a/src/wp-settings.php +++ b/src/wp-settings.php @@ -46,7 +46,6 @@ wp_check_php_mysql_versions(); // Disable magic quotes at runtime. Magic quotes are added using wpdb later in wp-settings.php. @ini_set( 'magic_quotes_runtime', 0 ); -@ini_set( 'magic_quotes_sybase', 0 ); // WordPress calculates offsets from UTC. date_default_timezone_set( 'UTC' ); diff --git a/tests/phpunit/tests/load.php b/tests/phpunit/tests/load.php new file mode 100644 index 0000000000..1fd08584d7 --- /dev/null +++ b/tests/phpunit/tests/load.php @@ -0,0 +1,91 @@ +assertEquals( $expected, $_GET['ticket_19455'] ); + } + + /** + * String in $_POST array is modified as expected + * + * @dataProvider data_strings_and_expected_strings + * @ticket 19455 + */ + public function test_string_in_POST_array_is_modified_as_expected( $original, $expected ) { + $_POST['ticket_19455'] = $original; + + wp_magic_quotes(); + + $this->assertEquals( $expected, $_POST['ticket_19455'] ); + } + + /** + * String in $_COOKIE array is modified as expected + * + * @dataProvider data_strings_and_expected_strings + * @ticket 19455 + */ + public function test_string_in_COOKIE_array_is_modified_as_expected( $original, $expected ) { + $_COOKIE['ticket_19455'] = $original; + + wp_magic_quotes(); + + $this->assertEquals( $expected, $_COOKIE['ticket_19455'] ); + } + + /** + * String in $_SERVER array is modified as expected + * + * @dataProvider data_strings_and_expected_strings + * @ticket 19455 + */ + public function test_string_in_SERVER_array_is_modified_as_expected( $original, $expected ) { + $_SERVER['ticket_19455'] = $original; + + wp_magic_quotes(); + + $this->assertEquals( $expected, $_SERVER['ticket_19455'] ); + } + +}