Changeset 61172

Timestamp:

11/06/2025 11:35:52 PM (4 weeks ago)

Author:

johnjamesjacoby

Message:

Date/Time: Prevent a PHP exception when inserting posts with a partially malformed post_date.

This commit updates wp_resolve_post_date() to use a regular expression for parsing the date string into year, month, and day matches. This approach handles missing leading zeros more reliably than substr() while remaining performant (see #57683).

It also adds checks and type-casting to wp_checkdate() variables before passing them into PHP's checkdate() function to avoid the potential for a TypeError in PHP 8 and newer (see #54186).

Lastly, it includes 2 new unit tests (with data providers) to cover an array of valid and invalid date formats (YYYY-MM-DD, YYYY-MM-DD HH:MM:SS, ISO 8601, RSS, leap years, malformed inputs, etc...)

Props alordiel, desrosj, johnbillion, johnjamesjacoby, johnregan3, modius5150, nacin, pbearne.

Fixes #26798.

Location:

trunk

Files:

• src/wp-includes/functions.php (modified) (2 diffs)
• src/wp-includes/post.php (modified) (1 diff)
• tests/phpunit/tests/post.php (modified) (1 diff)

trunk/src/wp-includes/functions.php

@@ -7398 +7398 @@
  */
 function wp_checkdate( $month, $day, $year, $source_date ) {
+    $checkdate = false;
+    if ( is_numeric( $month ) && is_numeric( $day ) && is_numeric( $year ) ) {
+        $checkdate = checkdate( (int) $month, (int) $day, (int) $year );
+    }
+
     /**
      * Filters whether the given date is valid for the Gregorian calendar.
@@ -7406 +7411 @@
      * @param string $source_date Date to check.
      */
-    return apply_filters( 'wp_checkdate', checkdate( $month, $day, $year ), $source_date );
+    return apply_filters( 'wp_checkdate', $checkdate, $source_date );
 }
 

trunk/src/wp-includes/post.php

@@ -5432 +5432 @@
 
     // Validate the date.
-    $month = (int) substr( $post_date, 5, 2 );
-    $day   = (int) substr( $post_date, 8, 2 );
-    $year  = (int) substr( $post_date, 0, 4 );
-
-    $valid_date = wp_checkdate( $month, $day, $year, $post_date );
+    preg_match( '/^(\d{4})-(\d{1,2})-(\d{1,2})/', $post_date, $matches );
+
+    if ( empty( $matches ) || ! is_array( $matches ) || count( $matches ) < 4 ) {
+        return false;
+    }
+
+    $valid_date = wp_checkdate( $matches[2], $matches[3], $matches[1], $post_date );
 
     if ( ! $valid_date ) {

trunk/tests/phpunit/tests/post.php

@@ -815 +815 @@
         remove_filter( 'use_block_editor_for_post', '__return_true' );
     }
+
+    /**
+     * @ticket 26798
+     *
+     * @dataProvider data_wp_insert_post_handle_malformed_post_date
+     *
+     * The purpose of this test is to ensure that invalid dates do not
+     * cause PHP errors when wp_insert_post() is called, and that the
+     * posts are not actually "inserted" (created).
+     */
+    public function test_wp_insert_post_handle_malformed_post_date( $input, $expected ) {
+        $post = array(
+            'post_author'  => self::$editor_id,
+            'post_status'  => 'publish',
+            'post_content' => 'content',
+            'post_title'   => 'title',
+            'post_date'    => $input,
+        );
+
+        // Inserting the post should fail gracefully.
+        $id     = wp_insert_post( $post );
+        $actual = ! empty( $id );
+
+        // Compare if post was (or was not) inserted.
+        $this->assertSame( $actual, $expected );
+    }
+
+    /**
+     * @ticket 26798
+     */
+    public function data_wp_insert_post_handle_malformed_post_date() {
+        return array(
+            array(
+                '2012-01-01',
+                true,
+            ),
+            // 24-hour time format.
+            array(
+                '2012-01-01 13:00:00',
+                true,
+            ),
+            // ISO8601 date with timezone.
+            array(
+                '2016-01-16T00:00:00Z',
+                true,
+            ),
+            // ISO8601 date with timezone offset.
+            array(
+                '2016-01-16T00:00:00+0100',
+                true,
+            ),
+            // RFC3339 Format.
+            array(
+                '1970-01-01T01:00:00+01:00',
+                true,
+            ),
+            // RSS Format
+            array(
+                '1970-01-01T01:00:00+0100',
+                true,
+            ),
+            // Leap year.
+            array(
+                '2012-02-29',
+                true,
+            ),
+            // Strange formats.
+            array(
+                '2012-01-01 0',
+                true,
+            ),
+            array(
+                '2012-01-01 25:00:00',
+                true,
+            ),
+            array(
+                '2012-01-01 00:60:00',
+                true,
+            ),
+            // Failures.
+            array(
+                '2012-08-0z',
+                false,
+            ),
+            array(
+                '2012-08-1',
+                false,
+            ),
+            array(
+                '201-01-08 00:00:00',
+                false,
+            ),
+            array(
+                '201-01-08 00:60:00',
+                false,
+            ),
+            array(
+                '201a-01-08 00:00:00',
+                false,
+            ),
+            array(
+                '2012-1-08 00:00:00',
+                false,
+            ),
+            array(
+                '2012-31-08 00:00:00',
+                false,
+            ),
+            array(
+                '2012-01-8 00:00:00',
+                false,
+            ),
+            array(
+                '2012-01-48 00:00:00',
+                false,
+            ),
+            // Not a leap year.
+            array(
+                '2011-02-29',
+                false,
+            ),
+        );
+    }
+
+    /**
+     * @ticket 26798
+     *
+     * @dataProvider data_wp_resolve_post_date_regex
+     *
+     * Tests the regex inside of wp_resolve_post_date(), with
+     * the emphasis on the date format (not the time).
+     */
+    public function test_wp_resolve_post_date_regex( $date, $expected ) {
+        // Attempt to resolve post date.
+        $actual = wp_resolve_post_date( $date );
+
+        // Compare if resolved post date is (or is not) valid.
+        $this->assertSame( $actual, $expected );
+    }
+
+    /**
+     * @ticket 26798
+     */
+    public function data_wp_resolve_post_date_regex() {
+        return array(
+            array(
+                '2012-01-01',
+                '2012-01-01',
+            ),
+            array(
+                '2012-01-01 00:00:00',
+                '2012-01-01 00:00:00',
+            ),
+            // ISO8601 date with timezone.
+            array(
+                '2016-01-16T00:00:00Z',
+                '2016-01-16T00:00:00Z',
+            ),
+            // ISO8601 date with timezone offset.
+            array(
+                '2016-01-16T00:00:00+0100',
+                '2016-01-16T00:00:00+0100',
+            ),
+            // RFC3339 Format.
+            array(
+                '1970-01-01T01:00:00+01:00',
+                '1970-01-01T01:00:00+01:00',
+            ),
+            // RSS Format
+            array(
+                '1970-01-01T01:00:00+0100',
+                '1970-01-01T01:00:00+0100',
+            ),
+            // 24-hour time format.
+            array(
+                '2012-01-01 13:00:00',
+                '2012-01-01 13:00:00',
+            ),
+            array(
+                '2016-01-16T00:0',
+                '2016-01-16T00:0',
+            ),
+            array(
+                '2012-01-01 0',
+                '2012-01-01 0',
+            ),
+            array(
+                '2012-01-01 00:00',
+                '2012-01-01 00:00',
+            ),
+            array(
+                '2012-01-01 25:00:00',
+                '2012-01-01 25:00:00',
+            ),
+            array(
+                '2012-01-01 00:60:00',
+                '2012-01-01 00:60:00',
+            ),
+            array(
+                '2012-01-01 00:00:60',
+                '2012-01-01 00:00:60',
+            ),
+            array(
+                '201-01-08',
+                false,
+            ),
+            array(
+                '201a-01-08',
+                false,
+            ),
+            array(
+                '2012-1-08',
+                false,
+            ),
+            array(
+                '2012-31-08',
+                false,
+            ),
+            array(
+                '2012-01-8',
+                false,
+            ),
+            array(
+                '2012-01-48 00:00:00',
+                false,
+            ),
+            // Leap year.
+            array(
+                '2012-02-29',
+                '2012-02-29',
+            ),
+            array(
+                '2011-02-29',
+                false,
+            ),
+        );
+    }
 }