Ticket #17737: 17737.8.diff
| File 17737.8.diff, 6.1 KB (added by , 3 years ago) |
|---|
-
src/wp-includes/class-wp-query.php
diff --git src/wp-includes/class-wp-query.php src/wp-includes/class-wp-query.php index fb1fea61fb..55a65258b5 100644
class WP_Query { 792 792 $qv['p'] = (int) $qv['p']; 793 793 } 794 794 795 $qv['page_id'] = absint( $qv['page_id'] );796 $qv['year'] = absint( $qv['year'] );797 $qv['monthnum'] = absint( $qv['monthnum'] );798 $qv['day'] = absint( $qv['day'] );799 $qv['w'] = absint( $qv['w'] );795 $qv['page_id'] = is_scalar( $qv['page_id'] ) ? absint( $qv['page_id'] ) : 0; 796 $qv['year'] = is_scalar( $qv['year'] ) ? absint( $qv['year'] ) : 0; 797 $qv['monthnum'] = is_scalar( $qv['monthnum'] ) ? absint( $qv['monthnum'] ) : 0; 798 $qv['day'] = is_scalar( $qv['day'] ) ? absint( $qv['day'] ) : 0; 799 $qv['w'] = is_scalar( $qv['w'] ) ? absint( $qv['w'] ) : 0; 800 800 $qv['m'] = is_scalar( $qv['m'] ) ? preg_replace( '|[^0-9]|', '', $qv['m'] ) : ''; 801 $qv['paged'] = absint( $qv['paged'] );801 $qv['paged'] = is_scalar( $qv['paged'] ) ? absint( $qv['paged'] ) : 0; 802 802 $qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // Comma-separated list of positive or negative integers. 803 $qv['author'] = preg_replace( '|[^0-9,-]|', '', $qv['author'] ); // Comma-separated list of positive or negative integers.804 $qv['pagename'] = trim( $qv['pagename'] );805 $qv['name'] = trim( $qv['name'] );806 $qv['title'] = trim( $qv['title'] );807 if ( '' !== $qv['hour'] ) {803 $qv['author'] = is_scalar( $qv['author'] ) ? preg_replace( '|[^0-9,-]|', '', $qv['author'] ) : ''; 804 $qv['pagename'] = is_scalar( $qv['pagename'] ) ? trim( $qv['pagename'] ) : ''; 805 $qv['name'] = is_scalar( $qv['name'] ) ? trim( $qv['name'] ) : ''; 806 $qv['title'] = is_scalar( $qv['title'] ) ? trim( $qv['title'] ) : ''; 807 if ( is_scalar( $qv['hour'] ) && '' !== $qv['hour'] ) { 808 808 $qv['hour'] = absint( $qv['hour'] ); 809 } else { 810 $qv['hour'] = ''; 809 811 } 810 if ( '' !== $qv['minute'] ) { 812 813 if ( is_scalar( $qv['minute'] ) && '' !== $qv['minute'] ) { 811 814 $qv['minute'] = absint( $qv['minute'] ); 815 } else { 816 $qv['minute'] = ''; 812 817 } 813 if ( '' !== $qv['second'] ) { 818 819 if ( is_scalar( $qv['second'] ) && '' !== $qv['second'] ) { 814 820 $qv['second'] = absint( $qv['second'] ); 821 } else { 822 $qv['second'] = ''; 815 823 } 816 if ( '' !== $qv['menu_order'] ) { 824 825 if ( is_scalar( $qv['menu_order'] ) && '' !== $qv['menu_order'] ) { 817 826 $qv['menu_order'] = absint( $qv['menu_order'] ); 827 } else { 828 $qv['menu_order'] = ''; 818 829 } 819 830 820 831 // Fairly large, potentially too large, upper bound for search string lengths. … … class WP_Query { 823 834 } 824 835 825 836 // Compat. Map subpost to attachment. 826 if ( '' != $qv['subpost'] ) {837 if ( is_scalar( $qv['subpost'] ) && '' != $qv['subpost'] ) { 827 838 $qv['attachment'] = $qv['subpost']; 828 839 } 829 if ( '' != $qv['subpost_id'] ) {840 if ( is_scalar( $qv['subpost_id'] ) && '' != $qv['subpost_id'] ) { 830 841 $qv['attachment_id'] = $qv['subpost_id']; 831 842 } 832 843 833 $qv['attachment_id'] = absint( $qv['attachment_id'] );844 $qv['attachment_id'] = is_scalar( $qv['attachment_id'] ) ? absint( $qv['attachment_id'] ) : 0; 834 845 835 846 if ( ( '' !== $qv['attachment'] ) || ! empty( $qv['attachment_id'] ) ) { 836 847 $this->is_single = true; -
tests/phpunit/tests/query/parseQuery.php
diff --git tests/phpunit/tests/query/parseQuery.php tests/phpunit/tests/query/parseQuery.php index 5b3625ed0f..cee7aad895 100644
class Tests_Query_ParseQuery extends WP_UnitTestCase { 104 104 $this->assertSame( '404', $q->query_vars['error'] ); 105 105 } 106 106 107 /** 108 * Ensure an array of authors is rejected. 109 * 110 * @ticket 17737 111 */ 112 public function test_parse_query_author_array() { 113 $q = new WP_Query(); 114 $q->parse_query( 115 array( 116 'author' => array( 1, 2, 3 ), 117 ) 118 ); 119 120 $this->assertEmpty( $q->query_vars['author'] ); 121 } 122 123 /** 124 * Ensure a non-scalar (non-numeric) author value is rejected. 125 * 126 * @ticket 17737 127 */ 128 public function test_parse_query_author_string() { 129 $q = new WP_Query(); 130 $q->parse_query( 131 array( 132 'author' => 'admin', 133 ) 134 ); 135 136 $this->assertEmpty( $q->query_vars['author'] ); 137 } 138 139 /** 140 * Ensure nonscalar 'cat' array values are rejected. 141 * 142 * Note the returned 'cat' query_var value is a string. 143 * 144 * @ticket 17737 145 */ 146 public function test_parse_query_cat_array_mixed() { 147 $q = new WP_Query(); 148 $q->parse_query( 149 array( 150 'cat' => array( 1, 'uncategorized', '-1' ), 151 ) 152 ); 153 154 $this->assertSame( '1,-1', $q->query_vars['cat'] ); 155 } 156 157 /** 158 * Ensure a nonscalar menu_order value is rejected. 159 * 160 * @ticket 17737 161 */ 162 public function test_parse_query_menu_order_nonscalar() { 163 $q = new WP_Query(); 164 $q->parse_query( 165 array( 166 'menu_order' => array( 1 ), 167 ) 168 ); 169 170 $this->assertEmpty( $q->query_vars['menu_order'] ); 171 } 172 173 /** 174 * Ensure numeric 'subpost' gets assigned to 'attachment'. 175 * 176 * @ticket 17737 177 */ 178 public function test_parse_query_subpost_scalar() { 179 $subpost = 1; 180 $q = new WP_Query(); 181 $q->parse_query( 182 array( 183 'subpost' => $subpost, 184 ) 185 ); 186 187 $this->assertSame( $subpost, $q->query_vars['attachment'] ); 188 } 189 190 /** 191 * Ensure non-scalar 'subpost' does not get assigned to 'attachment'. 192 * 193 * @ticket 17737 194 */ 195 public function test_parse_query_subpost_nonscalar() { 196 $q = new WP_Query(); 197 $q->parse_query( 198 array( 199 'subpost' => array( 1 ), 200 ) 201 ); 202 203 $this->assertEmpty( $q->query_vars['attachment'] ); 204 } 205 206 /** 207 * Ensure numeric 'attachment_id' value is assigned. 208 * 209 * @ticket 17737 210 */ 211 public function test_parse_query_attachment_id() { 212 $q = new WP_Query(); 213 $q->parse_query( 214 array( 215 'attachment_id' => 1, 216 ) 217 ); 218 219 $this->assertSame( 1, $q->query_vars['attachment_id'] ); 220 } 221 222 /** 223 * Ensure non-scalar 'attachment_id' value is rejected. 224 * 225 * @ticket 17737 226 */ 227 public function test_parse_query_attachment_id_nonscalar() { 228 $q = new WP_Query(); 229 $q->parse_query( 230 array( 231 'attachment_id' => array( 1 ), 232 ) 233 ); 234 235 $this->assertEmpty( $q->query_vars['attachment_id'] ); 236 } 107 237 }