Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115446
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85841 invoked from network); 17 Jul 2021 01:20:52 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 17 Jul 2021 01:20:52 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0AC0018033A
	for <internals@lists.php.net>; Fri, 16 Jul 2021 18:45:14 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 16 Jul 2021 18:45:13 -0700 (PDT)
Received: by mail-lf1-f52.google.com with SMTP id q16so18996370lfa.5
        for <internals@lists.php.net>; Fri, 16 Jul 2021 18:45:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=2pTLPZYMTwAH4LhzygVewHnrdbkTvQflHEgGJhGZMp8=;
        b=g/oDj3+HQ6cfItzuDJWpf/9wqoowb8cXUFGhwqblvdLAoN7f8oly9WVwjnS+8Emags
         N7y30/XsEnQxV8JxUn1EuP7iIqil99iMceK/d9YxLgvoOzpSS6f7hoLM88+L5Qmi8MeB
         cDrRnaRUhEsgmsBcf/l2VIrRc5iM5egtJvOkI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=2pTLPZYMTwAH4LhzygVewHnrdbkTvQflHEgGJhGZMp8=;
        b=ug+FWd2IPauT1YiTNS8b8coofEYFsYUezYrKut1r35Q4fsnIJqFuyjqy7conbGA3zd
         de5S9BFkqaYpdEbSfQr9RTyDbzW65mwI8Hq0RhlRL2oJROivDZbKw8KvKja3R2DNswIv
         oYDV0tQsS3lmpO4pNkosffjQykjrJLKjfIlx/XXRAXBVa1FgAtfrwjtTN5hcZPJwIanw
         LweEQReWCtBUZfC/LUe3mI9g8wfzXwzQB7QDpysZf5p42eQVoRbbPeP4tI8JDT7ZGZ5R
         kvSu7rSKohpIqEKHZ5hrqHiso7SkBTSt0YSfyU2ElVbE8KFjXQTxeEkziFWuiRld7o9F
         AHsw==
X-Gm-Message-State: AOAM531XNiTvH/1wPXhDCH+kF2EW4pCmdxjuSW3CC02kMBs5ui5UOWde
	3IuFbzIvfCdc+7Qsu7HG/xtaS8zIC7F4pIaeeF4tTQ==
X-Google-Smtp-Source: ABdhPJwLcEWPfitKhl4KJr7DBMBH/JOoLb6whWuZ6tWGP0eyeS28ZCZPM9u6+aeYsncVuB9umrgZRYX7FfZzmJh3mSA=
X-Received: by 2002:ac2:5d2e:: with SMTP id i14mr9542498lfb.642.1626486309893;
 Fri, 16 Jul 2021 18:45:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFv4g+ErRYaGJKJRJm9qYvCMQzUgbJE_hYfhTn6CtSeZ9SKxNw@mail.gmail.com>
 <CAFv4g+FH2ntZz_fSKhoFDMmjaDVhs56oR7x4tE3F250CAZsNtg@mail.gmail.com> <CAJmy8YFT9UA8fGmfAh9vcKQA=uM8nuSnEeu4U2sdD1oxQq1YjQ@mail.gmail.com>
In-Reply-To: <CAJmy8YFT9UA8fGmfAh9vcKQA=uM8nuSnEeu4U2sdD1oxQq1YjQ@mail.gmail.com>
Date: Sat, 17 Jul 2021 02:44:58 +0100
Message-ID: <CAFv4g+Hzgsjr6W=HWaWi2C1Joxz8Jg3PGwQCL7beVZc2YpLuHA@mail.gmail.com>
To: Hans Henrik Bergan <divinity76@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000bbcf2c05c747da48"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000bbcf2c05c747da48
Content-Type: text/plain; charset="UTF-8"

On Fri, 16 Jul 2021 at 21:24, Hans Henrik Bergan <divinity76@gmail.com>
wrote:

> short of a bug in esc_like(), i don't even see the vulnerability issue in
> that code?
>


Sorry Hans, I copied the wrong diff.

There were only 2 changes from woocommerce 5.5.0 to 5.5.1.

Like you I was wondering what that diff was doing before posting - I'm
fairly sure it's just to be consistent with the other lines (which all use
$wpdb->prepare).

The diff I should have copied is:

diff -r
woocommerce.5.5.0/packages/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php
woocommerce.5.5.1/packages/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php
86c86,92
<  $attributes_to_count     = array_map( 'wc_sanitize_taxonomy_name',
$attributes );
---
>  $attributes_to_count     = array_map(
>    function( $attribute ) {
>      $attribute = wc_sanitize_taxonomy_name( $attribute );
>      return esc_sql( $attribute );
>    },
>    $attributes
>  );

In context `$attributes_to_count` simply goes to:

$attributes_to_count_sql = 'AND term_taxonomy.taxonomy IN ("' . implode(
'","', $attributes_to_count ) . '")';

Where the the esc_sql() is basically a call to mysqli_real_escape_string(),
which explains why it needs risky quotes in/around implode.

Craig

--000000000000bbcf2c05c747da48--