[wp-trac] [WordPress Trac] #18322: The Road to Magic Quotes Sanity

Sun Nov 16 19:41:06 UTC 2014

#18322: The Road to Magic Quotes Sanity
----------------------------+-----------------------------
 Reporter:  ryan            |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Future Release
Component:  Bootstrap/Load  |     Version:  3.2.1
 Severity:  major           |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+-----------------------------

Comment (by najamelan):

 > Replying to [comment:34 thanatica2]:
 > > Why are we still discussing this? Just remove the magic quotes. They
 are not neccesary.
 >
 > I know this is a pretty long ticket (especially if you account for all
 the related ones that are linked), but it's definitely worth taking the
 time to carefully read each comment.  Currently magic quotes *are*
 necessary because removing them could easily open us to unexpected
 security vulnerabilities.  And even if we fix all those in core, there
 would likely be hundreds (conservative estimate) of plugins that would be
 suddenly vulnerable because they were assuming slashed data and it wasn't.
 >
 > I think we'd all like to get rid of the forced slashing, but we need to
 come up with a way to do it that doesn't result in thousands of vulnerable
 sites.  We haven't yet found an elegant way to do that.

 I'm sorry, but you're turning things around imo. Messing with the raw php
 server variables is bad practice for anything but the most innocuous php
 script. People expect these variables to be pristine. The only reason they
 would not do so is because it has caused them troubles and they figured
 out it was WP messing with them. If plugin authors write broken plugins
 based on broken WP code, than there's not so much you can do, other than
 investing in making php less of a security hazard and education. However,
 if WP wants to move on from it's medieval heritage, it does need to fix
 stuff like this. If PHP can move away from magic quotes without breaking
 the internet, so can WP.

 If you need slashed versions of these variables, you copy them into your
 own data structure and slash them. Say: $_GET_SLASHED. Right now the
 workaround for people struggling with this is the reverse, namely copying
 these variables into some safe haven before WP nukes them. You can do this
 in wp-config.php or in plugins, cause they are loaded before WP does it's
 "magic". Note: you can't do this in a theme, because they are loaded
 afterwards. (note that this means my plugin won't have security issues if
 WP get's rid of its magic quotes) If you want to publish a theme that
 needs pristine data, you're basically out of luck as far as I can tell,
 because stripping the slashes is also dangerous if you need some degree of
 slashing, albeit not an arbitrary degree (json_encoded data for example).

 Now instead of slashing stuff ad nauseum, what WP really misses is a clean
 OOP escaping class. This is what I use:
 https://gist.github.com/najamelan/e2bc8ed92911537e4475. It's not finished,
 nor unit tested, so it's for educational purposes only.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/18322#comment:41>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform