From d5ddd6d4be1bc9fd16b7796842e6fb26315705ad Mon Sep 17 00:00:00 2001
From: Jonathan Desrosiers <desrosj@git.wordpress.org>
Date: Thu, 29 Oct 2020 18:05:21 +0000
Subject: [PATCH] Meta: Sanitize meta key before checking protection status.

Props zieladam, peterwilsoncc, xknown, whyisjake.
Merges [49377,49381] to trunk.

git-svn-id: https://develop.svn.wordpress.org/trunk@49387 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/meta.php                     |  3 +-
 tests/phpunit/tests/meta/isProtectedMeta.php | 55 ++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 tests/phpunit/tests/meta/isProtectedMeta.php

diff --git a/src/wp-includes/meta.php b/src/wp-includes/meta.php
index e1c1f92e48..fe144fcda6 100644
--- a/src/wp-includes/meta.php
+++ b/src/wp-includes/meta.php
@@ -1159,7 +1159,8 @@ function _get_meta_table( $type ) {
  * @return bool Whether the meta key is considered protected.
  */
 function is_protected_meta( $meta_key, $meta_type = '' ) {
-	$protected = ( '_' === $meta_key[0] );
+	$sanitized_key = preg_replace( "/[^\x20-\x7E\p{L}]/", '', $meta_key );
+	$protected     = strlen( $sanitized_key ) > 0 && ( '_' === $sanitized_key[0] );
 
 	/**
 	 * Filters whether a meta key is considered protected.
diff --git a/tests/phpunit/tests/meta/isProtectedMeta.php b/tests/phpunit/tests/meta/isProtectedMeta.php
new file mode 100644
index 0000000000..c204d381f5
--- /dev/null
+++ b/tests/phpunit/tests/meta/isProtectedMeta.php
@@ -0,0 +1,55 @@
+<?php
+
+/**
+ * @group meta
+ * @covers ::is_protected_meta
+ */
+class Tests_Meta_isProtectedMeta extends WP_UnitTestCase {
+
+	/**
+	 * @dataProvider protected_data
+	 */
+	public function test_protected( $key ) {
+		$this->assertTrue( is_protected_meta( $key ) );
+	}
+
+	public function protected_data() {
+		$protected_keys = array(
+			array( '_wp_attachment' ),
+		);
+		for ( $i = 0, $max = 31; $i < $max; $i ++ ) {
+			$protected_keys[] = array( chr( $i ) . '_wp_attachment' );
+		}
+		for ( $i = 127, $max = 159; $i <= $max; $i ++ ) {
+			$protected_keys[] = array( chr( $i ) . '_wp_attachment' );
+		}
+		$protected_keys[] = array( chr( 95 ) . '_wp_attachment' );
+
+		return $protected_keys;
+	}
+
+	/**
+	 * @dataProvider unprotected_data
+	 */
+	public function test_unprotected( $key ) {
+		$this->assertFalse( is_protected_meta( $key ) );
+	}
+
+	public function unprotected_data() {
+		$unprotected_keys = array(
+			array( 'singleword' ),
+			array( 'two_words' ),
+			array( 'ąŌ_not_so_protected_meta' ),
+		);
+
+		for ( $i = 32, $max = 94; $i <= $max; $i ++ ) {
+			$unprotected_keys[] = array( chr( $i ) . '_wp_attachment' );
+		}
+		for ( $i = 96, $max = 126; $i <= $max; $i ++ ) {
+			$unprotected_keys[] = array( chr( $i ) . '_wp_attachment' );
+		}
+
+		return $unprotected_keys;
+	}
+
+}