On Fri, 16 Jul 2021 at 21:24, Hans Henrik Bergan <[email protected]>
wrote:
> short of a bug in esc_like(), i don't even see the vulnerability issue in
> that code?
>
Sorry Hans, I copied the wrong diff.
There were only 2 changes from woocommerce 5.5.0 to 5.5.1.
Like you I was wondering what that diff was doing before posting - I'm
fairly sure it's just to be consistent with the other lines (which all use
$wpdb->prepare).
The diff I should have copied is:
diff -r
woocommerce.5.5.0/packages/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php
woocommerce.5.5.1/packages/woocommerce-blocks/src/StoreApi/Utilities/ProductQueryFilters.php
86c86,92
< $attributes_to_count = array_map( 'wc_sanitize_taxonomy_name',
$attributes );
---
> $attributes_to_count = array_map(
> function( $attribute ) {
> $attribute = wc_sanitize_taxonomy_name( $attribute );
> return esc_sql( $attribute );
> },
> $attributes
> );
In context `$attributes_to_count` simply goes to:
$attributes_to_count_sql = 'AND term_taxonomy.taxonomy IN ("' . implode(
'","', $attributes_to_count ) . '")';
Where the the esc_sql() is basically a call to mysqli_real_escape_string(),
which explains why it needs risky quotes in/around implode.
Craig
