Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The captured request data is slashed because of the insanity that is wp_magic_quotes() #408

Open
stefanfisk opened this issue Oct 19, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@stefanfisk
Copy link
Contributor

Version

v4.3.0

What did you expect to happen?

I expected the captured request data to not be slashed because the whole idea of wp_magic_quotes is crazy.

https://core.trac.wordpress.org/ticket/18322

What actually happens?

The captured request data is slashed.

AFAICT this seems like the most appropriate fix:

// Undo wp_magic_quotes()

$_GET     = stripslashes_deep($_GET);
$_POST    = stripslashes_deep($_POST);
$_COOKIE  = stripslashes_deep($_COOKIE);
$_SERVER  = stripslashes_deep($_SERVER);
$_REQUEST = array_merge($_GET, $_POST);

// Capture request

$request = Request::capture();

// Redo wp_magic_quotes()

wp_magic_quotes();

Here's a custom bootstrap workaround that seems OK after minimal testing:

<?php

declare(strict_types=1);

namespace App\Bootstrap;

use Illuminate\Contracts\Foundation\Application;
use Illuminate\Http\Request;

class UndoWpMagicQuotes
{
    public function bootstrap(Application $app): void
    {
        /** @var Request $request */
        $request = $app->make('request');

        $request->query->replace(stripslashes_deep($_GET));
        $request->request->replace(stripslashes_deep($_POST));
        $request->cookies->replace(stripslashes_deep($_COOKIE));
        $request->server->replace(stripslashes_deep($_SERVER));
    }
}

Steps to reproduce

  1. Make a request to /?foo=\
  2. Call app('request')->get('foo')
  3. Watch the returned value be \\

System info

php:8.1-fpm docker image under Pop!_OS 22.04 LTS.

Log output

No response

Please confirm this isn't a support request.

Yes

@stefanfisk stefanfisk added the bug Something isn't working label Oct 19, 2024
@stefanfisk
Copy link
Contributor Author

That workaround breaks request when it's derived from the request body.

Here's a fixed version:

<?php

declare(strict_types=1);

namespace App\Bootstrap;

use Illuminate\Contracts\Foundation\Application;
use Illuminate\Http\Request;

use function array_merge;

/**
 * Workaround for wp_magic_quotes() being applied to the captured request.
 *
 * @see https://github.com/roots/acorn/issues/408
 */
class UndoWpMagicQuotes
{
    public function bootstrap(Application $app): void
    {
        // Undo wp_magic_quotes()

        $_GET     = stripslashes_deep($_GET);
        $_POST    = stripslashes_deep($_POST);
        $_COOKIE  = stripslashes_deep($_COOKIE);
        $_SERVER  = stripslashes_deep($_SERVER);
        $_REQUEST = array_merge($_GET, $_POST);

        // Capture request

        $tempRequest = Request::capture();

        // Replace bound data

        /** @var Request $request */
        $request = $app->make('request');

        $request->query->replace($tempRequest->query->all());
        $request->request->replace($tempRequest->request->all());
        $request->cookies->replace($tempRequest->cookies->all());
        $request->server->replace($tempRequest->server->all());

        // Redo wp_magic_quotes()

        wp_magic_quotes();
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant