Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Null (`\0`) bytes in strings cause truncation in MSSQL driver #329
A bit of an edge case, but I promise we hit it in real life! Feel free to close as too far-fetched.
If any user input includes a null byte (
This results in a prepared SQL statement that includes the
Using prepared statements at the SQL driver level avoids this, for example:
will work, but:
However, I guess that wouldn't be too easy to drop into the Wordpress framework of returning a single string from wpdb::prepare().
I wonder if it's worth rejecting any queries up front that contain
(In our case, we hit this by importing some data from an external RSS feed which contained the offending byte. I haven't been instantly able to submit it through the front-end, which is encouraging, but I've not tried extensively.)
There is so much that needs to be said right here...
First, I believe I could count on two hands the installs which might have been able to find this (one if I dedupe for their dev sites), so bravo. And I'll have to review the pull request and determine if there was a reason for the original order before merging.
Second, given that limited case I do wonder if a solution for you might be a filter on post save that replaces the nulls with a salt and on post display converts it back. There are similar examples of that throughout the Wordpress ecosystem.
To be honest, I have no good reason to store null bytes at all: it was data that happened to come in from elsewhere, and I was as surprised by it as anyone, so I'm just stripping those and dumping them in that workflow - not a big deal.
It was more the idle wondering about whether it could be an attack vector that made me throw this issue in!
(#327 and its associated PR are way more interesting, and real-world-relevant, than this issue!)