[wp-hackers] Magic Quoting removal Road Map/Plan

Fri Jun 10 16:05:49 UTC 2011

Hello!

Okay I created a GIST since I cannot obviously write valid code at once:

https://gist.github.com/1019157

2011/6/10 Jari Pennanen <ciantic at oksidi.com>:
> Hello!
>
> Here is a quick take on the matter as code (only for _POST as example):
>
>
>
> $WP_NONQUOTED_POST = array();
>
> /**
>  * Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
>  *
>  * Also forces $_REQUEST to be $_GET + $_POST. If $_SERVER, $_COOKIE,
>  * or $_ENV are needed, use those superglobals directly.
>  *
>  * @access private
>  * @since 3.0.0
>  */
> function wp_magic_quotes() {
>    global $WP_ORIGINAL_POST;
>
>    // If already slashed, strip.
>    if ( get_magic_quotes_gpc() ) {
>        $_GET    = stripslashes_deep( $_GET    );
>        $_POST   = stripslashes_deep( $_POST   );
>        $_COOKIE = stripslashes_deep( $_COOKIE );
>    }
>
>    // Original non quoted
>    $WP_NONQUOTED_POST = $_POST;
>
>    // Escape with wpdb.
>    $_GET    = add_magic_quotes( $_GET    );
>    $_POST   = add_magic_quotes( $_POST   );
>    $_COOKIE = add_magic_quotes( $_COOKIE );
>    $_SERVER = add_magic_quotes( $_SERVER );
>
>    // Force REQUEST to be GET + POST.
>    $_REQUEST = array_merge( $_GET, $_POST );
>
>    set_magic_quotes_runtime(true);
> }
>
> /**
>  * Return original POST without magic quoting
>  *
>  * @param false|string $key Key, if not given whole POST is returned
>  * @param mixed $default Default value if key is not found
>  * @return mixed Returns the value or default value if key is not found
>  */
> function wp_get_post($key=false, $default=null) {
>    global $WP_NONQUOTED_POST;
>
>    if ($key === false) {
>        return $WP_NONQUOTED_POST;
>    }
>    return isset($WP_NONQUOTED_POST[$key]) ? $WP_NONQUOTED_POST[$key]
> : $default;
> }
>
> 2011/6/10 Jari Pennanen <ciantic at oksidi.com>:
>> Hi!
>>
>> 2011/6/10 John Blackbourn <johnbillion+wp at gmail.com>:
>>> That's fine, but you're straying from the issue at hand. If functions
>>> like this were implemented we are still left with the $_GET and $_POST
>>> superglobals that are currently quoted. The issue is that we cannot
>>> remove quoting from these variables because it introduces a security
>>> vulnerability for every plugin and theme that's been written up until
>>> this point. If we can't remove quoting from the superglobals, this is
>>> a fruitless exercise.
>>
>> No sir. If everyone starts to use new API we can get rid of $_GET and
>> $_POST quoting. Get it? We must push everyone to use new API and when
>> in distant future, future of PHP6 maybe, we can get rid of this _GET
>> _POST quoting etc.
>>
>