Make WordPress Core

Changeset 38288


Ignore:
Timestamp:
08/20/2016 02:31:31 AM (8 years ago)
Author:
boonebgorges
Message:

Query: Non-scalar and negative values for 'p' should always result in a 404.

Previously, the 'p' query var was being run through absint(), which
caused unexpected results.

Props Akeif, kouratoras.
Fixes #33372.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/query.php

    r38279 r38288  
    16031603            $this->is_robots = true;
    16041604
    1605         $qv['p'] =  absint($qv['p']);
     1605        if ( ! is_scalar( $qv['p'] ) || $qv['p'] < 0 ) {
     1606            $qv['p'] = 0;
     1607            $qv['error'] = '404';
     1608        } else {
     1609            $qv['p'] = intval( $qv['p'] );
     1610        }
     1611
    16061612        $qv['page_id'] =  absint($qv['page_id']);
    16071613        $qv['year'] = absint($qv['year']);
  • trunk/tests/phpunit/tests/query/parseQuery.php

    r29912 r38288  
    5252        $this->assertSame( true, $q->query_vars['s'] );
    5353    }
     54
     55    /**
     56     * @ticket 33372
     57     */
     58    public function test_parse_query_p_negative_int() {
     59        $q = new WP_Query();
     60        $q->parse_query( array(
     61            'p' => -3,
     62        ) );
     63
     64        $this->assertSame( '404', $q->query_vars['error'] );
     65    }
     66
     67    /**
     68     * @ticket 33372
     69     */
     70    public function test_parse_query_p_array() {
     71        $q = new WP_Query();
     72        $q->parse_query( array(
     73            'p' => array(),
     74        ) );
     75
     76        $this->assertSame( '404', $q->query_vars['error'] );
     77    }
     78
     79    /**
     80     * @ticket 33372
     81     */
     82    public function test_parse_query_p_object() {
     83        $q = new WP_Query();
     84        $q->parse_query( array(
     85            'p' => new stdClass(),
     86        ) );
     87
     88        $this->assertSame( '404', $q->query_vars['error'] );
     89    }
     90
    5491}
Note: See TracChangeset for help on using the changeset viewer.