Opened 8 months ago
Closed 4 months ago
#22324 closed enhancement (wontfix)
sanitize_post_field() forgets some integer fields
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | General | Version: | 3.4.2 |
| Severity: | minor | Keywords: | has-patch commit |
| Cc: | kovshenin, greg@… |
Description
The post_author and comment_count properties of the $post object should be sanitized to integer values instead of strings (the default data type).
Both those fields are stored in BIGINT(20) columns in the posts table. They can only contain integer values.
Attachments (3)
Change History (24)
comment:1
SergeyBiryukov
— 8 months ago
- Keywords commit added
- Milestone changed from Awaiting Review to Future Release
comment:2
SergeyBiryukov
— 5 months ago
- Milestone changed from Future Release to 3.6
comment:5
SergeyBiryukov
— 5 months ago
In 1193/tests:
comment:6
SergeyBiryukov
— 5 months ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 23353:
comment:7
bpetty
— 5 months ago
- Keywords has-patch commit removed
- Resolution fixed deleted
- Status changed from closed to reopened
Re-opening for new unit test failures. The following tests need updates if this is correct:
1) Tests_XMLRPC_mw_getPost::test_valid_post Failed asserting that 286 is of type "string". /wordpress-tests/tests/xmlrpc/mw/getPost.php:57 2) Tests_XMLRPC_mw_getRecentPosts::test_valid_post Failed asserting that 292 is of type "string". /wordpress-tests/tests/xmlrpc/mw/getRecentPosts.php:62 3) Tests_XMLRPC_wp_getPage::test_valid_page Failed asserting that 368 is of type "string". /wordpress-tests/tests/xmlrpc/wp/getPage.php:56 4) Tests_XMLRPC_wp_getPost::test_valid_post Failed asserting that 387 is of type "string". /wordpress-tests/tests/xmlrpc/wp/getPost.php:51
comment:8
markoheijnen
— 5 months ago
The tests shouldn't be updated. We talking about the XML-RPC here so we probably should update the code then.
I'm looking into it what changed.
comment:9
markoheijnen
— 5 months ago
Looking into it this never should have been committed as it is. Changing the data type is really dangerous and should be tested well and also the external API's should be checked. This since the app can crash now due their strictness of data types.
comment:10
markoheijnen
— 5 months ago
- Keywords has-patch commit added
Added the fix for the XML-RPC
comment:11
SergeyBiryukov
— 5 months ago
22324.fix-xmlrpc.diff looks consistent with [19071].
comment:12
SergeyBiryukov
— 5 months ago
wp.getPage() description in Codex appears to be inaccurate:
http://codex.wordpress.org/XML-RPC_wp#wp.getPage
It states that userid is an int, whereas it was actually a string. Related: ticket:18869:4.
comment:13
SergeyBiryukov
— 5 months ago
- Keywords needs-unit-tests removed
Updated the Codex page. 22324.fix-xmlrpc.diff passes the unit tests.
comment:14
SergeyBiryukov
— 5 months ago
- Resolution set to fixed
- Status changed from reopened to closed
In 23359:
comment:15
follow-up:
↓ 18
westi
— 5 months ago
- Resolution fixed deleted
- Status changed from closed to reopened
I'm not 100% sure this is a good change to make without further review and testing.
One thing that is probably broken by this change is anything that does post author highlighting of comments because get_comments returns straight db data with everything as strings.
We use a value and type === check here - https://core.trac.wordpress.org/browser/trunk/wp-includes/comment-template.php#L316
Which now will fail as one will be an int and one a string.
comment:16
gibrown
— 5 months ago
- Cc greg@… added
This uncovered a subtle caching bug on wp.com that I think probably affects a lot of plugins, and maybe elsewhere in core. Two cases.
1) Used to work, but with this change started failing.
- Post content is stored in the cache and so post_author is returned as a string when get_post() is called.
- Plugin loads the post_author from cache and then === compares against something like comment_author
2) Failed before (very rare though due to caching, so we had never reproduced it), with this change it works.
- Post content is loaded from db rather than cache by get_post(). post_author is an int.
- Plugin does a === comparison which fails against things like comment_author.
The second example is a bug that is probably occurring now in many plugins, but so rarely that it is not noticed.
Given that (2) is actually failing, maybe the int coming out of the db should actually be cast to a string in get_post(), etc.
comment:17
ryan
— 4 months ago
This was reverted on wordpress.com for the aforementioned reasons.
comment:18
in reply to:
↑ 15
johnbillion
— 4 months ago
Replying to westi:
I'm not 100% sure this is a good change to make without further review and testing.
One thing that is probably broken by this change is anything that does post author highlighting of comments because get_comments returns straight db data with everything as strings.
We use a value and type === check here - https://core.trac.wordpress.org/browser/trunk/wp-includes/comment-template.php#L316
Which now will fail as one will be an int and one a string.
This does indeed break post author highlighting. Twenty Twelve is no longer highlighting post author comments because it does an identicality check here: http://core.trac.wordpress.org/browser/tags/3.5.1/wp-content/themes/twentytwelve/functions.php#L291
comment:19
nacin
— 4 months ago
In 23531:
comment:20
nacin
— 4 months ago
In 1224/tests:
comment:21
nacin
— 4 months ago
- Milestone 3.6 deleted
- Resolution set to wontfix
- Status changed from reopened to closed
22324.ut.diff checks for integer fields after sanitize_post.