Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115449 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 6619 invoked from network); 17 Jul 2021 07:34:56 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 17 Jul 2021 07:34:56 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id AADB318033A for ; Sat, 17 Jul 2021 00:59:23 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 17 Jul 2021 00:59:23 -0700 (PDT) Received: by mail-pl1-f171.google.com with SMTP id o8so6454687plg.11 for ; Sat, 17 Jul 2021 00:59:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=4aTXHvzJYXZ48k4jMjnle6rE3QAr2EDhRbKtqDrnm2g=; b=JRlyA9Lt8B5s0gBmiycwgp8YAIMelyD3eCuK5b78qALW+vzx61ACpeuxkreP74JBkB t1bIGpf0K6BnZ3X6AgG2qW8fWKoq0OpSHy8Bif2pSDNpo0mj/+DEVlzs4QvPvqgCZZxE oUWrZ0T4wIPATVv5t5c79UcTuI00XlLlYfEnO/KB8idWIuBip7gl13j4R+cJNqlOXge7 isx8hkhhy9Zm6sxg46smhLtzkQmsl/SNr10MBZLh35it7ch2YqfKWtPJPMuK0x50x5HM aBN53bpYg/q0+Ge+1PqWdpHgpPOZqzXIRFfdHNUfGuuQO3QD+urpBck6AHFbg8lQm3V4 9fYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=4aTXHvzJYXZ48k4jMjnle6rE3QAr2EDhRbKtqDrnm2g=; b=CYQBMoFGjUL6Ctl/WZsOXX3/wnRrZf4EEoCW2F5l0l7YSx/+DmMoCumlmCJ0TKQ4+y txUbsOzOw4jYiDONNFDZDGuIeE/PyzHmAabHbZvxgGLx5XVvBYoo9jC/xEvmx5oDdsCj e6IEbOmnMnDLX5YrL3QC5ph5wXJztfIKRsdHHimth1jx1n3Fw8RS0ECXTXG9e7E50wZ4 gAYaug4JqmLuJQ4tmh160Ev1z82ZmkVB4XPhhaNvLprLKDd4Fy4AycvUavACWDkS42ae AhtU0HdIuXjcYiPzbuDEttWhpHv2M1sccdBnzf32OB8QTDZSTzHC0pe5pnmpqYtsnU6r yRFw== X-Gm-Message-State: AOAM533742XYha41qWYmdg8PIz58ViRUWpQGJbcoR+SRQ4UCekBP1BQa aOEknP/IDhWV8yzSALWSaljLy6BeJlne2lY8Dvu5qTdmAmmEtg== X-Google-Smtp-Source: ABdhPJxJfef3Kd/M8qWQ6+73EJpk4wmvCa2E1n4OeQZvlxJxeHWMfMwXcfWBWrMfXrd3bzLHqehDxJ8NNeY/Mmqm2OM= X-Received: by 2002:a17:90a:1f43:: with SMTP id y3mr13828099pjy.0.1626508758843; Sat, 17 Jul 2021 00:59:18 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 17 Jul 2021 09:58:42 +0200 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="000000000000cb857605c74d14dc" Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: divinity76@gmail.com (Hans Henrik Bergan) --000000000000cb857605c74d14dc Content-Type: text/plain; charset="UTF-8" oh thanks, now the vulnerability is clear. (i would still complain on that as a pull request though, using double quotes for strings is just a horrible idea, it's not compliant with ISO sql, and it depends on the MySQL server it's running on *not* having @@SQL_MODE=ANSI_QUOTES enabled which changes double-quotes to be ISO-compliant instead of mysql-borky (double quotes for strings only work on MySQL because of a MySQL quirk, ISO SQL say double quotes is meant for identifiers just like ` ), and it's not portable across different SQL servers, and all of these problems go away if you just use the sensible alternative: single quotes - seriously someone should complain to whoever wrote that, so at least he doesn't do the same in the future i can tell from only that diff that, at least as of 5.5.1, woocommerce is not compatible with @@SQL_MODE=ANSI_QUOTES :p ) On Sat, 17 Jul 2021 at 03:45, Craig Francis wrote: > On Fri, 16 Jul 2021 at 21:24, Hans Henrik Bergan > wrote: > >> short of a bug in esc_like(), i don't even see the vulnerability issue in >> that code? >> > > > Sorry Hans, I copied the wrong diff. > > There were only 2 changes from woocommerce 5.5.0 to 5.5.1. > > Like you I was wondering what that diff was doing before posting - I'm > fairly sure it's just to be consistent with the other lines (which all use > $wpdb->prepare). > > The diff I should have copied is: > > diff -r > woocommerce.5.5.0/packages/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php > woocommerce.5.5.1/packages/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php > 86c86,92 > < $attributes_to_count = array_map( 'wc_sanitize_taxonomy_name', > $attributes ); > --- > > $attributes_to_count = array_map( > > function( $attribute ) { > > $attribute = wc_sanitize_taxonomy_name( $attribute ); > > return esc_sql( $attribute ); > > }, > > $attributes > > ); > > In context `$attributes_to_count` simply goes to: > > $attributes_to_count_sql = 'AND term_taxonomy.taxonomy IN ("' . implode( > '","', $attributes_to_count ) . '")'; > > Where the the esc_sql() is basically a call > to mysqli_real_escape_string(), which explains why it needs risky quotes > in/around implode. > > Craig > > > > --000000000000cb857605c74d14dc--