Make WordPress Core

Changeset 53838


Ignore:
Timestamp:
08/05/2022 05:47:56 AM (2 years ago)
Author:
peterwilsoncc
Message:

Sitemaps: Prevent invalid provider names throwing errors.

Validate the requested sitemap is a string before attempting to use it in a provider. This prevents WP_Sitemaps_Registry::get_provider() from triggering a fatal error in more recent versions of PHP.

The errors can be triggered by items outside the site owner or developers control (such as a user visiting ?sitemap[foo]=bar) so the code fails silently to avoid filling error logs with unfixable errors.

Props costdev, dd32.
Fixes #56336.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/sitemaps/class-wp-sitemaps-registry.php

    r48543 r53838  
    6666     */
    6767    public function get_provider( $name ) {
    68         if ( ! isset( $this->providers[ $name ] ) ) {
     68        if ( ! is_string( $name ) || ! isset( $this->providers[ $name ] ) ) {
    6969            return null;
    7070        }
  • trunk/tests/phpunit/tests/sitemaps/wpSitemapsRegistry.php

    r51492 r53838  
    3232        $this->assertSame( $providers['foo'], $provider1, 'Can not confirm sitemap registration is working.' );
    3333    }
     34
     35    /**
     36     * Tests that `WP_Sitemaps_Registry::get_provider()` returns `null` when
     37     * the `$name` argument is not a string.
     38     *
     39     * @ticket 56336
     40     *
     41     * @covers WP_Sitemaps_Registry::get_provider
     42     *
     43     * @dataProvider data_get_provider_should_return_null_with_non_string_name
     44     *
     45     * @param mixed $name The non-string name.
     46     */
     47    public function test_get_provider_should_return_null_with_non_string_name( $name ) {
     48        $registry = new WP_Sitemaps_Registry();
     49        $this->assertNull( $registry->get_provider( $name ) );
     50    }
     51
     52    /**
     53     * Data provider with non-string values.
     54     *
     55     * @return array
     56     */
     57    public function data_get_provider_should_return_null_with_non_string_name() {
     58        return array(
     59            'array'        => array( array() ),
     60            'object'       => array( new stdClass() ),
     61            'bool (true)'  => array( true ),
     62            'bool (false)' => array( false ),
     63            'null'         => array( null ),
     64            'integer (0)'  => array( 0 ),
     65            'integer (1)'  => array( 1 ),
     66            'float (0.0)'  => array( 0.0 ),
     67            'float (1.1)'  => array( 1.1 ),
     68        );
     69    }
    3470}
Note: See TracChangeset for help on using the changeset viewer.