Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115429 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 90032 invoked from network); 16 Jul 2021 00:23:26 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 16 Jul 2021 00:23:26 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 98B321804AA for ; Thu, 15 Jul 2021 17:47:33 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com [209.85.208.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 15 Jul 2021 17:47:32 -0700 (PDT) Received: by mail-lj1-f177.google.com with SMTP id bn5so11257879ljb.10 for ; Thu, 15 Jul 2021 17:47:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=scXWQ0Cj+jyAp50oLCnFoKSH6HpcXPBAN/+6h1X0Ngc=; b=KMZIxjSpKuM7JhOyGaonQwoO6Swu/Cz1OOKX9D6qz6ODQHHTnI4qyC5wiGtOnlJZkL gdLQIhPDROsK4PnF9Gp9FNsGWuYCmw4x2nDjPnGcDGVNa7YnKy8qvgvgE7iZDfC2Lzg6 HLjmUxLQA7thCDIa03usnYE3cqWKzH8ePZLuI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=scXWQ0Cj+jyAp50oLCnFoKSH6HpcXPBAN/+6h1X0Ngc=; b=udRBV6eKserxRJyvRy5Hw7+pkuNwm1HDzIaOpOQZKENzNr2LMfNbhNHttwpzeHTuwW wVbyzFgF3+3euJLOik7TibhAIEHfplAjKwlAIDqaTpZB2qVqG1Ifn9b2cD4lYN3KrBAf dW4WauRPKY7KHGDkGOxpQiC3VMERfNlrFJyWoDVc5lH3lOWCHlQFOpKH0pViulcRhueO NgKZqsQgb1WmmbidrXUxmmDjTANfJfKeU8eeCX7QPouvcsSogiYcegmGB+82MdyQREiO 6A3UNC0jtUaMMssr2NpiPF8Nitx5QoPqhrVZtPQv4HInG0hU/XJDWDSoKIVqZcfrHa/J 5Ejg== X-Gm-Message-State: AOAM5329tURjdF6Bsx+WIW2DZbCco3DFN9hC5Mm4WSuv1z+V9kYqRMCd 7AWn6eV01ZICXb+a4JcYpIY6ZgGwIp0I1KxudwZXzUvrYQfZ0B8Z X-Google-Smtp-Source: ABdhPJycJcH15GSqu8YUS1oYYR1Kj4wLPeqhV9HyBwtZZ3VNrbz34A0XcHd9JW4oUtSw1gC+V0+zGDvnxLzumW0ybSI= X-Received: by 2002:a2e:9241:: with SMTP id v1mr6287525ljg.48.1626396451137; Thu, 15 Jul 2021 17:47:31 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Fri, 16 Jul 2021 01:47:20 +0100 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="000000000000bbfc6105c732ee15" Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: craig@craigfrancis.co.uk (Craig Francis) --000000000000bbfc6105c732ee15 Content-Type: text/plain; charset="UTF-8" Just another day, and another injection vulnerability (please patch): https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/ If only escaping wasn't being used, so user values did not get included in certain strings :-) diff -r woocommerce.5.5.0/includes/data-stores/class-wc-webhook-data-store.php woocommerce.5.5.1/includes/data-stores/class-wc-webhook-data-store.php 280c280 < $search = ! empty( $args['search'] ) ? "AND `name` LIKE '%" . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . "%'" : ''; --- > $search = ! empty( $args['search'] ) ? $wpdb->prepare( "AND `name` LIKE %s", '%' . $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . '%' ) : ''; The vote for the is_literal RFC ends on Monday the 19th of July, 7:30pm UK time and 6:30pm UTC, and needs your support. https://wiki.php.net/rfc/is_literal --000000000000bbfc6105c732ee15--