WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#31083 new enhancement

WP_date_Query does not validate string values of 'before' or 'after'

Reported by: ChriCo Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.1
Component: Query Keywords: needs-patch
Focuses: Cc:

Description

Currently the before/after values in WP_Date_Query can be an array or string, which will be parsed by strtotime:

if ( ! is_array( $datetime ) ) {
	// @todo Timezone issues here possibly
	return gmdate( 'Y-m-d H:i:s', strtotime( $datetime, $now ) );
}

But we don't validate this string in validate_date_values:

if ( array_key_exists( 'before', $date_query ) && is_array( $date_query['before'] ) ){
	$valid = $this->validate_date_values( $date_query['before'] );
}

Example:

$query_args = array(
	array( 'before' => 'i am a valid date string!?' )
);
$date_query = new \WP_Date_Query( $query_args );
echo $date_query->get_sql;
//  AND ( ( post_date < '1970-01-01 00:00:00' ) )

Attachments (1)

31083.patch (3.4 KB) - added by ChriCo 3 years ago.
added new method for validating before/after, added time-string validation, unit tests

Download all attachments as: .zip

Change History (2)

@ChriCo
3 years ago

added new method for validating before/after, added time-string validation, unit tests

#1 @boonebgorges
3 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Summary changed from WP_date_Query - broken before/after validation to WP_date_Query does not validate string values of 'before' or 'after'
  • Type changed from defect (bug) to enhancement

Thanks for the patch. I'm changing the ticket summary because it's not really "broken", it was just skipped for non-array values of 'before' and 'after'. I don't really recall the reasons for this.

Regarding the patch, I'd like to see the logic consolidated. Let's either move the string parsing into validate_date_values(), or have a separate method for parsing string dates only, which is called when a string value is detected. It also looks like passing the UNIX epoch will result in an invalid notice, which is incorrect - the ! ! strtotime() check will have to be something more fine-grained. And we can't remove the is_numeric() check introduced in [31251], or string values for 'hour' will not be properly rejected.

Note: See TracTickets for help on using tickets.