Skip to:
Content

BuddyPress.org

Opened 7 years ago

Closed 7 years ago

#4758 closed defect (bug) (fixed)

bp_forums_reply_exists misses to escape in db query

Reported by: wpdennis Owned by:
Milestone: 1.7 Priority: high
Severity: major Version: 1.6.1
Component: Forums Keywords: dev-feedback
Cc:

Description

The function bp_forums_reply_exists adds a filter to get_posts_where without escaping the specified value:

// BB_Query's post_text parameter does a MATCH, while we need exact matches
add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND p.post_text = \'' . $text . '\'";' ) );

In http://buddypress.trac.wordpress.org/browser/trunk/bp-forums/bp-forums-functions.php on line 366.

Since it´s a public function it seems to be a security risk. I found it, because a post ending with the smiley ":\" will throw a mysql error (the backslash escapes the ' in the query).

Suggestion for escaping:

global $wpdb;
add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND p.post_text = \'' . $wpdb->escape($text) . '\'";' ) );

Attachments (3)

6716.patch (1.0 KB) - added by johnjamesjacoby 7 years ago.
4758.patch (1.7 KB) - added by johnjamesjacoby 7 years ago.
4758.2.patch (1.8 KB) - added by johnjamesjacoby 7 years ago.

Download all attachments as: .zip

Change History (10)

#1 @boonebgorges
7 years ago

  • Milestone changed from Awaiting Review to 1.6.3
  • Priority changed from normal to high

Good find. Thanks very much for reporting it.

#2 @boonebgorges
7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6715]) Escape post text before checking for existing replies in bp_forums_reply_exists()

Fixes #4758

Props wpdennis

#3 @boonebgorges
7 years ago

(In [6716]) Escape post text before checking for existing replies in bp_forums_reply_exists()

Fixes #4758

Props wpdennis

#4 @imath
7 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Hi, i think you need to check this ticket again, as if i have a forum reply like :

"l ' apostrophe"

then i have "an error in your SQL syntax"

the problem seems to be that "l ' apostrophe" is becoming

 l \\' apostrophe

if i stripslashes the $text before $wpdb->escape( $text ) then the error disappears...

#5 @boonebgorges
7 years ago

  • Milestone changed from 1.6.3 to 1.7

#6 @johnjamesjacoby
7 years ago

Oops. Used the revision number instead of the ticket number. You get the idea.

#7 @johnjamesjacoby
7 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [6778]) Update bp_forums_reply_exists() to use external helper filter instead of escaped create_function() usage. Fixes #4758.

Note: See TracTickets for help on using tickets.