bobbingwide / oik-bwtrace

debug trace for WordPress
https://www.oik-plugins.com/oik-plugins/oik-bwtrace-debug-trace-for-wordpress/
GNU General Public License v2.0
6 stars 1 forks source link

What's calling addslashes() on $_REQUEST ? #105

Open bobbingwide opened 3 years ago

bobbingwide commented 3 years ago

When tracing starts up the trace_startup() function traces values in $_SERVER and $_REQUEST if the trace level is BW_TRACE_INFO or higher.

The values in $_REQUEST may look like this.

C:\apache\htdocs\wordpress\wp-content\plugins\oik-bwtrace\includes\class-BW-trace-controller.php(416:0) trace_startup(2) 8 2 2021-09-18T10:16:56+00:00 0.006950 0.000166 cf! 22 1 0 2097152/2097152 756M F=306 _REQUEST Array

    [page] => (string) "gvg_bulk_update"
    [v] => Array

        [3698] => (string) "Aluminium Polycarbonate Cold Frame 4' x 3'(double)"

    [c] => *RECURSION* v 0
    [_field_name] => (string) "name"
    [_option] => (string) "85"
    [_new_field_value] => (string) ""
    [_match_value] => (string) ""
    [gvg_update_by_product] => (string) "Update by product"

$_REQUEST is a combination of $_GET and $_POST

If the trace level is BW_TRACE_DEBUG or higher then these two arrays are also traced.

In later processing I've noticed that the values in $_REQUEST have been escaped using addslashes().

C:\apache\htdocs\wordpress\wp-content\plugins\gvg_bulk_update\admin\class-gvg-bulk-update-page.php(645:0) gvg_bulk_update_page::get_current_value(2) 29 3 2021-09-18T10:19:59+00:00 1.089660 0.000295 cf=tools_page_gvg_bulk_update 21619 161 0 41943040/41943040 756M F=1743 request default output handler,default output handler
Array

    [page] => (string) "gvg_bulk_update"
    [v] => Array

        [3698] => (string) "Aluminium Polycarbonate Cold Frame 4\' x 3\' (double)"

    [c] => Array

        [3698] => (string) "Aluminium Polycarbonate Cold Frame 4\' x 3\'(double)"

    [_field_name] => (string) "name"
    [_option] => (string) "85"
    [_new_field_value] => (string) ""
    [_match_value] => (string) ""
    [gvg_update_by_product] => (string) "Update by product"

Notice that the single quotes have been escaped with a backslash. This is the effect of addslashes() / wp_slash().

addslashes

Returns a string with backslashes added before characters that need to be escaped. These characters are: single quote (') double quote (") backslash () NUL (the NUL byte)

If we attempt to compare values extracted from this array with the originals we may have to stripslashes()/ wp_unslash().

The questions I have are:

Finding the answers to the above questions should help the debugger determine what to do to fix their code.

bobbingwide commented 3 years ago

In wp-settings.php after the plugins_loaded action hook there's a call to wp_magic_quotes()

function wp_magic_quotes() {
    // Escape with wpdb.
    $_GET    = add_magic_quotes( $_GET );
    $_POST   = add_magic_quotes( $_POST );
    $_COOKIE = add_magic_quotes( $_COOKIE );
    $_SERVER = add_magic_quotes( $_SERVER );

    // Force REQUEST to be GET + POST.
    $_REQUEST = array_merge( $_GET, $_POST );
}

add_magic_quotes() is a recursive function. It calls add_slashes() for each string in each array. trace_startup() is called when oik-bwtrace is loaded, which is before plugins loaded.

So now we ask, should oik-bwtrace defer tracing of these globals until plugins_loaded? Or should it retrace them after add_magic_quotes() has been called?

What's probably more important is to understand how to deal with backslashes in input text and textarea fields that get lost when we call wp_unslash().