Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115488 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 2619 invoked from network); 19 Jul 2021 11:26:04 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 19 Jul 2021 11:26:04 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id CBE241804D0 for ; Mon, 19 Jul 2021 04:51:03 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 19 Jul 2021 04:51:03 -0700 (PDT) Received: by mail-lj1-f179.google.com with SMTP id e20so25865983ljn.8 for ; Mon, 19 Jul 2021 04:51:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LEfpo99U7uNXYuiVnE2+F4+bWYF7PO4vKQ0vI3X96Ww=; b=C7EO3cZgaiOTHOARYr+SR6OnSf7rYQSBLcV/5AgNIhtVtJKmCQytKjaefuFzXI+q+x tE0OJomy8zSW6SobUFDArA3aopswmL4bhduC7ySKfBXP9O+16N6vk9EaM4OmJi7MEHXH 1tgj9ioTIckebXmOlw/w1Pbfe6fpk611/jxoBcJitFZ/hdYsDWiav0gXZuDpUzm/rMo2 9diF4aekYRR+oqBnLFgyI2lzyGiAu1KUH5/UqGXj3ePEtR8AGUx19C6LjbSgaEZj21tE 6tD08973HckI7WoJYntief4QLTqjDitnlFUMjERYDFo5rxQUSXfrxxwP72DVHvB0FSST pPbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LEfpo99U7uNXYuiVnE2+F4+bWYF7PO4vKQ0vI3X96Ww=; b=bqfwH3bjARyItNXN0kwZAc2q4kn1eN0n5LF++B9G0NCX7n20gZ0V2YHEpzwSndS0MH 9r3Y/87zmK28QyS5t3ANNvF8lkSyoKb/5HAQ0jo/sAuTGMgFxm0hKThFVk2DlK7i1NPS sAJiLC73zEtEmoQ7XCT8k4mO/8Ui2tLqMV2TA/lUCPXiYVbpe8YytPGEy9F1/x/Dsslm xrZZNFhNfmNUJFnXTyNBLsbrAPSwCrehLJETSgpYfaX6gZIMZrnHTieQ4Bp4n6UrsJ9t 1FcddGjtPiKEM56OHaGHh/tbzQqS6dQ3Z4IEbXnxJp8s+EG2f2H6TgnZFs2MkKFkeDo1 jNUw== X-Gm-Message-State: AOAM533Upvt6JC1kdwbe+UBe6TObY5iKKZiR8bHUCApuXB/AzuF6TyOJ NRLxms2QHPhBMu3GuRwxZD322ugCEsF/84ohpA== X-Google-Smtp-Source: ABdhPJwC/IT2wKb/ZUg6yM8gE7ywm+KcxRbuQ3+lminbI17069CCbaBZo7pish92FNIoq/uWTlxZbAvLTKkfip7/JH0= X-Received: by 2002:a2e:7612:: with SMTP id r18mr22457219ljc.76.1626695460798; Mon, 19 Jul 2021 04:51:00 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 19 Jul 2021 13:50:51 +0200 Message-ID: To: Craig Francis Cc: Hans Henrik Bergan , PHP internals Content-Type: multipart/alternative; boundary="00000000000019452b05c7788d50" Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: guilliam.xavier@gmail.com (Guilliam Xavier) --00000000000019452b05c7788d50 Content-Type: text/plain; charset="UTF-8" On Fri, Jul 16, 2021 at 2:47 AM Craig Francis wrote: > Just another day, and another injection vulnerability (please patch): > > https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/ > > If only escaping wasn't being used, so user values did not get included in > certain strings :-) > > diff -r > woocommerce.5.5.0/includes/data-stores/class-wc-webhook-data-store.php > woocommerce.5.5.1/includes/data-stores/class-wc-webhook-data-store.php > 280c280 > < $search = ! empty( $args['search'] ) ? "AND `name` LIKE '%" . > $wpdb->esc_like( sanitize_text_field( $args['search'] ) ) . "%'" : ''; > --- > > $search = ! empty( $args['search'] ) ? $wpdb->prepare( "AND > `name` LIKE %s", '%' . $wpdb->esc_like( sanitize_text_field( > $args['search'] ) ) . '%' ) : ''; > On Sat, Jul 17, 2021 at 3:45 AM Craig Francis wrote: > On Fri, 16 Jul 2021 at 21:24, Hans Henrik Bergan > wrote: > > > short of a bug in esc_like(), i don't even see the vulnerability issue in > > that code? > > > > > Sorry Hans, I copied the wrong diff. > > There were only 2 changes from woocommerce 5.5.0 to 5.5.1. > > Like you I was wondering what that diff was doing before posting - I'm > fairly sure it's just to be consistent with the other lines (which all use > $wpdb->prepare). > I don't think so. Looking at https://developer.wordpress.org/reference/functions/sanitize_text_field/ and https://developer.wordpress.org/reference/classes/wpdb/esc_like/ you can see that they *don't* escape single quotes, so there was *indeed* an SQL injection vulnerability in that code. (Which is [one of the reasons] why I avoid WordPress [and especially third-party themes / plugins] as much as possible.) -- Guilliam Xavier --00000000000019452b05c7788d50--