WordPress.org

Make WordPress Core

Opened 9 months ago

Closed 8 months ago

Last modified 8 months ago

#24884 closed defect (bug) (fixed)

WP_Query's "m" parameter is cast to an int which is a problem due to 32-bit signed intergers

Reported by: Viper007Bond Owned by: nacin
Milestone: 3.7 Priority: normal
Severity: normal Version: 3.5.2
Component: Query Keywords: has-patch
Focuses: Cc:

Description (last modified by Viper007Bond)

WP_Query's m parameter accepts MySQL datetimes basically. These values can be up to 14 characters long (YYYYMMDDHHMMSS). For the long values, you end up with 2147483647 when the passed value is run through absint(). While in the process of being used to create a query, it is further validated by being run through preg_replace( '|[^0-9]|', '', $q['m'] ) which makes the integer casting redundant.

Attached is a patch that fixes this issue by just using regex to validate the value.

I discovered this while writing unit tests for #18694 and with the patch on this ticket applied, the unit tests now work as expected. This is another case of unit tests saving the day! :)

Attachments (1)

24884.patch (969 bytes) - added by Viper007Bond 9 months ago.

Download all attachments as: .zip

Change History (6)

Viper007Bond9 months ago

comment:1 Viper007Bond9 months ago

  • Description modified (diff)

comment:2 wonderboymusic8 months ago

  • Milestone changed from Awaiting Review to 3.7

Yep.

comment:3 Viper007Bond8 months ago

Unit tests for this are included as a part of #18694.

comment:4 nacin8 months ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 25138:

Don't cast the 'm' query variable to an integer as the value can exceed the range of a 32-bit signed integer.

props Viper007Bond.
fixes #24884.

comment:5 nacin8 months ago

Tests added in [25139].

Note: See TracTickets for help on using tickets.