Make WordPress Core

Changeset 53891


Ignore:
Timestamp:
08/13/2022 10:29:19 PM (2 years ago)
Author:
johnbillion
Message:

Query: Be better at forcing data types for query vars.

Several query vars only accept a scalar value and pass the value through functions that assume a scalar value. Adding extra guard conditions to the types of query vars doesn't affect their functionality but does remove PHP notices and warnings that can otherwise be generated when a non-scalar value such as an array is present in a query var.

Props juliobox, xknown, SergeyBiryukov, dave1010, nacin, tellyworth, dd32, audrasjb, johnregan3

Fixes #17737

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-query.php

    r53827 r53891  
    793793        }
    794794
    795         $qv['page_id']  = absint( $qv['page_id'] );
    796         $qv['year']     = absint( $qv['year'] );
    797         $qv['monthnum'] = absint( $qv['monthnum'] );
    798         $qv['day']      = absint( $qv['day'] );
    799         $qv['w']        = absint( $qv['w'] );
     795        $qv['page_id']  = is_scalar( $qv['page_id'] ) ? absint( $qv['page_id'] ) : 0;
     796        $qv['year']     = is_scalar( $qv['year'] ) ? absint( $qv['year'] ) : 0;
     797        $qv['monthnum'] = is_scalar( $qv['monthnum'] ) ? absint( $qv['monthnum'] ) : 0;
     798        $qv['day']      = is_scalar( $qv['day'] ) ? absint( $qv['day'] ) : 0;
     799        $qv['w']        = is_scalar( $qv['w'] ) ? absint( $qv['w'] ) : 0;
    800800        $qv['m']        = is_scalar( $qv['m'] ) ? preg_replace( '|[^0-9]|', '', $qv['m'] ) : '';
    801         $qv['paged']    = absint( $qv['paged'] );
    802         $qv['cat']      = preg_replace( '|[^0-9,-]|', '', $qv['cat'] );    // Comma-separated list of positive or negative integers.
    803         $qv['author']   = preg_replace( '|[^0-9,-]|', '', $qv['author'] ); // Comma-separated list of positive or negative integers.
    804         $qv['pagename'] = trim( $qv['pagename'] );
    805         $qv['name']     = trim( $qv['name'] );
    806         $qv['title']    = trim( $qv['title'] );
    807         if ( '' !== $qv['hour'] ) {
     801        $qv['paged']    = is_scalar( $qv['paged'] ) ? absint( $qv['paged'] ) : 0;
     802        $qv['cat']      = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // Array or comma-separated list of positive or negative integers.
     803        $qv['author']   = is_scalar( $qv['author'] ) ? preg_replace( '|[^0-9,-]|', '', $qv['author'] ) : ''; // Comma-separated list of positive or negative integers.
     804        $qv['pagename'] = is_scalar( $qv['pagename'] ) ? trim( $qv['pagename'] ) : '';
     805        $qv['name']     = is_scalar( $qv['name'] ) ? trim( $qv['name'] ) : '';
     806        $qv['title']    = is_scalar( $qv['title'] ) ? trim( $qv['title'] ) : '';
     807
     808        if ( is_scalar( $qv['hour'] ) && '' !== $qv['hour'] ) {
    808809            $qv['hour'] = absint( $qv['hour'] );
    809         }
    810         if ( '' !== $qv['minute'] ) {
     810        } else {
     811            $qv['hour'] = '';
     812        }
     813
     814        if ( is_scalar( $qv['minute'] ) && '' !== $qv['minute'] ) {
    811815            $qv['minute'] = absint( $qv['minute'] );
    812         }
    813         if ( '' !== $qv['second'] ) {
     816        } else {
     817            $qv['minute'] = '';
     818        }
     819
     820        if ( is_scalar( $qv['second'] ) && '' !== $qv['second'] ) {
    814821            $qv['second'] = absint( $qv['second'] );
    815         }
    816         if ( '' !== $qv['menu_order'] ) {
     822        } else {
     823            $qv['second'] = '';
     824        }
     825
     826        if ( is_scalar( $qv['menu_order'] ) && '' !== $qv['menu_order'] ) {
    817827            $qv['menu_order'] = absint( $qv['menu_order'] );
     828        } else {
     829            $qv['menu_order'] = '';
    818830        }
    819831
     
    824836
    825837        // Compat. Map subpost to attachment.
    826         if ( '' != $qv['subpost'] ) {
     838        if ( is_scalar( $qv['subpost'] ) && '' != $qv['subpost'] ) {
    827839            $qv['attachment'] = $qv['subpost'];
    828840        }
    829         if ( '' != $qv['subpost_id'] ) {
     841        if ( is_scalar( $qv['subpost_id'] ) && '' != $qv['subpost_id'] ) {
    830842            $qv['attachment_id'] = $qv['subpost_id'];
    831843        }
    832844
    833         $qv['attachment_id'] = absint( $qv['attachment_id'] );
     845        $qv['attachment_id'] = is_scalar( $qv['attachment_id'] ) ? absint( $qv['attachment_id'] ) : 0;
    834846
    835847        if ( ( '' !== $qv['attachment'] ) || ! empty( $qv['attachment_id'] ) ) {
  • trunk/tests/phpunit/tests/query/parseQuery.php

    r48937 r53891  
    105105    }
    106106
     107    /**
     108     * Ensure an array of authors is rejected.
     109     *
     110     * @ticket 17737
     111     */
     112    public function test_parse_query_author_array() {
     113        $q = new WP_Query();
     114        $q->parse_query(
     115            array(
     116                'author' => array( 1, 2, 3 ),
     117            )
     118        );
     119
     120        $this->assertEmpty( $q->query_vars['author'] );
     121    }
     122
     123    /**
     124     * Ensure a non-scalar (non-numeric) author value is rejected.
     125     *
     126     * @ticket 17737
     127     */
     128    public function test_parse_query_author_string() {
     129        $q = new WP_Query();
     130        $q->parse_query(
     131            array(
     132                'author' => 'admin',
     133            )
     134        );
     135
     136        $this->assertEmpty( $q->query_vars['author'] );
     137    }
     138
     139    /**
     140     * Ensure nonscalar 'cat' array values are rejected.
     141     *
     142     * Note the returned 'cat' query_var value is a string.
     143     *
     144     * @ticket 17737
     145     */
     146    public function test_parse_query_cat_array_mixed() {
     147        $q = new WP_Query();
     148        $q->parse_query(
     149            array(
     150                'cat' => array( 1, 'uncategorized', '-1' ),
     151            )
     152        );
     153
     154        $this->assertSame( '1,-1', $q->query_vars['cat'] );
     155    }
     156
     157    /**
     158     * Ensure a nonscalar menu_order value is rejected.
     159     *
     160     * @ticket 17737
     161     */
     162    public function test_parse_query_menu_order_nonscalar() {
     163        $q = new WP_Query();
     164        $q->parse_query(
     165            array(
     166                'menu_order' => array( 1 ),
     167            )
     168        );
     169
     170        $this->assertEmpty( $q->query_vars['menu_order'] );
     171    }
     172
     173    /**
     174     * Ensure numeric 'subpost' gets assigned to 'attachment'.
     175     *
     176     * @ticket 17737
     177     */
     178    public function test_parse_query_subpost_scalar() {
     179        $q = new WP_Query();
     180        $q->parse_query(
     181            array(
     182                'subpost' => 1,
     183            )
     184        );
     185
     186        $this->assertSame( 1, $q->query_vars['attachment'] );
     187    }
     188
     189    /**
     190     * Ensure non-scalar 'subpost' does not get assigned to 'attachment'.
     191     *
     192     * @ticket 17737
     193     */
     194    public function test_parse_query_subpost_nonscalar() {
     195        $q = new WP_Query();
     196        $q->parse_query(
     197            array(
     198                'subpost' => array( 1 ),
     199            )
     200        );
     201
     202        $this->assertEmpty( $q->query_vars['attachment'] );
     203    }
     204
     205    /**
     206     * Ensure numeric 'attachment_id' value is assigned.
     207     *
     208     * @ticket 17737
     209     */
     210    public function test_parse_query_attachment_id() {
     211        $q = new WP_Query();
     212        $q->parse_query(
     213            array(
     214                'attachment_id' => 1,
     215            )
     216        );
     217
     218        $this->assertSame( 1, $q->query_vars['attachment_id'] );
     219    }
     220
     221    /**
     222     * Ensure non-scalar 'attachment_id' value is rejected.
     223     *
     224     * @ticket 17737
     225     */
     226    public function test_parse_query_attachment_id_nonscalar() {
     227        $q = new WP_Query();
     228        $q->parse_query(
     229            array(
     230                'attachment_id' => array( 1 ),
     231            )
     232        );
     233
     234        $this->assertEmpty( $q->query_vars['attachment_id'] );
     235    }
    107236}
Note: See TracChangeset for help on using the changeset viewer.