New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Placeholder escaping problem with $[0-9] present in values #2

Closed
fjarrett opened this Issue Mar 16, 2018 · 3 comments

Comments

2 participants
@fjarrett
Contributor

fjarrett commented Mar 16, 2018

When a $ symbol immediately followed by a digit is used inside a value, what stdout reports doesn't match what actually gets put into the wp-config.php file.

I'd consider this an urgent problem for anyone generating random passwords or salts with the potential for a $[0-9] pattern to exist.

$ wp config set DB_PASSWORD '$12345abcde'
Success: Updated the constant 'DB_PASSWORD' in the 'wp-config.php' file with the value '$12345abcde'.
---
/** MySQL database password */
define( 'DB_PASSWORD', '345abcde' );
$ wp config set DB_PASSWORD 'abc$12345de'
Success: Updated the constant 'DB_PASSWORD' in the 'wp-config.php' file with the value 'abc$12345de'.
---
/** MySQL database password */
define( 'DB_PASSWORD', 'abc345de' );

These work fine ($ not immediately followed by a digit)

$ wp config set DB_PASSWORD '$abcde12345'
Success: Updated the constant 'DB_PASSWORD' in the 'wp-config.php' file with the value '$abcde12345'.
---
/** MySQL database password */
define( 'DB_PASSWORD', '$abcde12345' );
$ wp config set DB_PASSWORD '123$abcde45'
Success: Updated the constant 'DB_PASSWORD' in the 'wp-config.php' file with the value '$abcde12345'.
---
/** MySQL database password */
define( 'DB_PASSWORD', '123$abcde45' );
@fjarrett

This comment has been minimized.

Contributor

fjarrett commented Mar 16, 2018

@schlessera I haven't had a chance to really dig in to root cause yet, so it's unclear whether this is a problem in the transformer or config command itself, but based on what I was experiencing it seemed like the transformer.

@danielbachhuber

This comment has been minimized.

Member

danielbachhuber commented Mar 20, 2018

I've been able to reproduce this report.

based on what I was experiencing it seemed like the transformer.

Yes. If the Success: output is correct, which it is, then the problem is within the transformer.

@danielbachhuber

This comment has been minimized.

Member

danielbachhuber commented Mar 20, 2018

The culprit is:

$contents = preg_replace( sprintf( '/(?<=^|;|<\?php\s|<\?\s)%s/m', preg_quote( $old_src, '/' ) ), $new_src, $this->wp_config_src );

Specifically, $12345 is interpreted as a placeholder instead of a direct replacement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment