On servers running PHP <= 5.4 which have magic_quotes_sybase enabled, the superglobals need to be magic-quoted before magic_quotes_sybase is subsequently disabled to avoid incorrect un-slashing. This must surely effect a miniscule number of servers, but so be it.

Fixes #19455 Props summerblue, kurtpayne, lucatume git-svn-id: https://develop.svn.wordpress.org/trunk@35639 602fd350-edb4-49c9-b593-d223f7449a82
2015-11-15 22:59:51 +00:00 · 2015-11-15 22:59:51 +00:00 · b32cf6875f
commit b32cf6875f
parent 0792eaf237
3 changed files with 94 additions and 1 deletions
--- a/src/wp-includes/load.php
+++ b/src/wp-includes/load.php
@ -603,6 +603,9 @@ function wp_magic_quotes() {
 		$_COOKIE = stripslashes_deep( $_COOKIE );
 	}

+	// Turn off sybase quoting after stripslashes has run
+	@ini_set( 'magic_quotes_sybase', 0 );
+
 	// Escape with wpdb.
 	$_GET    = add_magic_quotes( $_GET    );
 	$_POST   = add_magic_quotes( $_POST   );
--- a/src/wp-settings.php
+++ b/src/wp-settings.php
@ -46,7 +46,6 @@ wp_check_php_mysql_versions();

 // Disable magic quotes at runtime. Magic quotes are added using wpdb later in wp-settings.php.
@ini_set( 'magic_quotes_runtime', 0 );
-@ini_set( 'magic_quotes_sybase',  0 );

 // WordPress calculates offsets from UTC.
 date_default_timezone_set( 'UTC' );
--- a/tests/phpunit/tests/load.php
+++ b/tests/phpunit/tests/load.php
@ -0,0 +1,91 @@
+<?php
+
+/**
+ * @group load
+ */
+class Tests_Load extends WP_UnitTestCase {
+
+	public function setUp() {
+		parent::setUp();
+		ini_set( 'magic_quotes_sybase', 1 );
+	}
+
+	public function tearDown() {
+		unset( $_GET['ticket_19455'] );
+		unset( $_POST['ticket_19455'] );
+		unset( $_COOKIE['ticket_19455'] );
+		unset( $_SERVER['ticket_19455'] );
+		ini_set( 'magic_quotes_sybase', 0 );
+		parent::tearDown();
+	}
+
+	public function data_strings_and_expected_strings() {
+		return array(
+			array( 'A string with no quotes', 'A string with no quotes' ),
+			array( "Charlie's Little Cat", "Charlie\\'s Little Cat" ),
+			array( "A string with many quotes''''''", "A string with many quotes\\'\\'\\'\\'\\'\\'" ),
+			array(
+				"A string with quotes ' in '' different ''' places''''",
+				"A string with quotes \\' in \\'\\' different \\'\\'\\' places\\'\\'\\'\\'"
+			),
+			array( "A string with 'quoted' words", "A string with \\'quoted\\' words" ),
+		);
+	}
+
+	/**
+	 * String in $_GET array is modified as expected
+	 *
+	 * @dataProvider data_strings_and_expected_strings
+	 * @ticket 19455
+	 */
+	public function test_string_in_GET_array_is_modified_as_expected( $original, $expected ) {
+		$_GET['ticket_19455'] = $original;
+
+		wp_magic_quotes();
+
+		$this->assertEquals( $expected, $_GET['ticket_19455'] );
+	}
+
+	/**
+	 * String in $_POST array is modified as expected
+	 *
+	 * @dataProvider data_strings_and_expected_strings
+	 * @ticket 19455
+	 */
+	public function test_string_in_POST_array_is_modified_as_expected( $original, $expected ) {
+		$_POST['ticket_19455'] = $original;
+
+		wp_magic_quotes();
+
+		$this->assertEquals( $expected, $_POST['ticket_19455'] );
+	}
+
+	/**
+	 * String in $_COOKIE array is modified as expected
+	 *
+	 * @dataProvider data_strings_and_expected_strings
+	 * @ticket 19455
+	 */
+	public function test_string_in_COOKIE_array_is_modified_as_expected( $original, $expected ) {
+		$_COOKIE['ticket_19455'] = $original;
+
+		wp_magic_quotes();
+
+		$this->assertEquals( $expected, $_COOKIE['ticket_19455'] );
+	}
+
+	/**
+	 * String in $_SERVER array is modified as expected
+	 *
+	 * @dataProvider data_strings_and_expected_strings
+	 * @ticket 19455
+	 */
+	public function test_string_in_SERVER_array_is_modified_as_expected( $original, $expected ) {
+		$_SERVER['ticket_19455'] = $original;
+
+		wp_magic_quotes();
+
+		$this->assertEquals( $expected, $_SERVER['ticket_19455'] );
+	}
+
+}