Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#33118 closed defect (bug) (fixed)

Don't assume the $post is an array in sanitize_post().

Reported by: morganestes's profile morganestes Owned by: wonderboymusic's profile wonderboymusic
Milestone: 4.4 Priority: normal
Severity: normal Version: 2.5
Component: Posts, Post Types Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

sanitize_post() expects $post to be an object (OBJECT|WP_Post) or an array (ARRAY_A|ARRAY_N), and returns the same type, but only checks for is_object(), then assumes it's an array and iterates over it as one without further checking.

It may be a bit overkill, but explicitly checking for is_array() seems like the right thing to do to avoid potential errors thrown by trying to use array_keys() over a non-array.

Attachments (1)

33118.diff (584 bytes) - added by morganestes 9 years ago.
Add explicit check for an array before trying to access keys.

Download all attachments as: .zip

Change History (7)

@morganestes
9 years ago

Add explicit check for an array before trying to access keys.

#1 @morganestes
9 years ago

  • Keywords has-patch added

#2 @SergeyBiryukov
9 years ago

  • Component changed from General to Posts, Post Types

#3 @wonderboymusic
9 years ago

  • Milestone changed from Awaiting Review to 4.4
  • Owner set to wonderboymusic
  • Status changed from new to assigned

#4 @wonderboymusic
9 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34080:

sanitize_post() is polymorphic, add an is_array() check for $post before operating on it as an array.

Props morganestes.
Fixes #33118.

#5 follow-up: @kitchin
9 years ago

  • Keywords 2nd-opinion added

Seems to me there should be an else $post = null if this is a sanitization function.

#6 in reply to: ↑ 5 @morganestes
9 years ago

Replying to kitchin:

Seems to me there should be an else $post = null if this is a sanitization function.

I don't think completely changing the expected return type by nullifying it is the way to go here, but I could see throwing a 'doing_it_wrong' early if fails a type check.

Note: See TracTickets for help on using tickets.