WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#4762 closed enhancement (fixed)

new function: absint()

Reported by: markjaquith Owned by: markjaquith
Priority: normal Milestone: 2.8
Component: Security Version: 2.3
Severity: normal Keywords: int security needs-patch
Cc: ruckus

Description

There were a few bugs whereby things were being cast to ints and providing a negative int would mess up a query (for instance, with SQL LIMITs). We accept negative ints for post IDs (temporarily), but in all other places that Matt or I could think of, we use positive integers.

function absint($string) {
	return abs(intval($string));
}

We'd then convert all instances of intval() or (int) casting to use absint() (minus post IDs).

Objections? Thoughts?

Attachments (1)

4762.diff (533 bytes) - added by ruckus 5 years ago.
absint doesn't exist yet

Download all attachments as: .zip

Change History (18)

comment:1 markjaquith6 years ago

  • Component changed from Administration to Security
  • Keywords int security added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

comment:2 matt6 years ago

+1 megapatch.

comment:3 markjaquith6 years ago

(In [6222]) Introducing absint() for casting to an absolute integer. see #4762

comment:4 DD325 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed
  • Type changed from task to enhancement

comment:5 follow-up: lloydbudd5 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Re-opening for markjaquith to close. He might be planning on using that function before closing this ticket.

comment:6 in reply to: ↑ 5 DD325 years ago

Replying to lloydbudd:

Re-opening for markjaquith to close. He might be planning on using that function before closing this ticket.

Apologies for stepping on anyones toes.

absint() has been put into use in several places (comment/post/taxonomy/functions .php)

comment:7 westi5 years ago

(In [6682]) Switch from abs(intval()) to absint(). See #4762.

ruckus5 years ago

absint doesn't exist yet

comment:9 ruckus5 years ago

The absint() function doesn't exist this early, so need to use abs(intval()).

While there, made both sides of the comparison to use abs(intval()) for identical treatment of the non-integer values (e.g. 8M or 32M).

comment:10 ruckus5 years ago

Err, "this early" == in wp-settings.php

comment:11 ruckus5 years ago

  • Cc ruckus added

comment:12 follow-up: ryan5 years ago

(In [6684]) absint is not defined yet. see #4762

comment:13 in reply to: ↑ 12 westi5 years ago

Replying to ryan:

(In [6684]) absint is not defined yet. see #4762

/me slaps wrist... that what I get for doing the change when I'm tired :-(

comment:14 westi5 years ago

  • Keywords needs-patch added

The only place we don't use this now where we have abs(intval()) instead is in wp-settings.php where it is too early and not defined.

There are a number of places where we only use intval() though but these need to be checked carefully so moving to 2.6 for the remaining changes and marking as needs-patch

comment:15 ffemtcj5 years ago

  • Milestone changed from 2.5 to 2.6

comment:16 Denis-de-Bernardy4 years ago

could we close this one as fixed?

comment:17 Denis-de-Bernardy4 years ago

  • Milestone changed from 2.9 to 2.8
  • Resolution set to fixed
  • Status changed from reopened to closed

fixed a while ago

Note: See TracTickets for help on using tickets.