WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#20193 closed defect (bug) (fixed)

wp_post_mime_type_where does not properly prefix table names

Reported by: benbalter Owned by: nacin
Milestone: 3.4 Priority: normal
Severity: minor Version: 3.4
Component: Media Keywords: has-patch
Focuses: Cc:

Description

When called from the iframe media gallery, for example, wp_post_mime_type_where does not properly prefix the table name of post_mime_type in the WHERE clause, leading to a possible ambiguity if a plugin filters the media list by adding a join.

Related: #19779 and #12750.

Steps to reproduce:

  1. Add a filter to posts_where that joins wp_posts (e.g., attachment:example-filter.php:ticket:19779)
  2. Navigate to a post and attempt to insert an existing image from the gallery via the media upload iframe
  3. Receive an error message that post_mime_type is ambiguous

I propose that when no table alias is given, the function defaults to $wpdb->posts to prevent ambiguity.

Attachments (1)

20193.diff (1.1 KB) - added by benbalter 2 years ago.

Download all attachments as: .zip

Change History (5)

benbalter2 years ago

comment:2 nacin2 years ago

  • Keywords dev-feedback 2nd-opinion removed
  • Milestone changed from Awaiting Review to 3.4

Looks like this came in with [14478]. Rather than changing how the function works, we should probably just always pass $wpdb->posts in query.php.

comment:3 lkraav2 years ago

  • Cc lkraav added

comment:4 nacin2 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [20325]:

Always pass a table alias to wp_post_mime_type_where(). Prevents ambiguous queries when adding joins later on. props benbalter, fixes #20193.

Note: See TracTickets for help on using tickets.