Make WordPress Core

Opened 8 years ago

Last modified 7 weeks ago

#41011 assigned defect (bug)

get_calendar generates query with invalid date formats

Reported by: andy's profile andy Owned by: pbearne's profile pbearne
Milestone: 6.8 Priority: normal
Severity: normal Version:
Component: Date/Time Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

Given a parameter like ?w=1400, which is obviously not a week number, get_calendar will try to compute the date 9799 days into the year. It would make sense to check that $w is in a valid range, such as not greater than 53.

At the same time, get_calendar does not check that $m is a valid date, resulting in $thisyear == '0' and a query of SELECT DATE_FORMAT((DATE_ADD('00101', INTERVAL 9799 DAY) ), '%m').

Change History (6)

#1 @andy
8 years ago

The overarching problem with this code block is that it relies on MySQL for date computation that can and should be done in PHP. MySQL's date computation may have been more convenient when get_calendar was written 14 years ago in [508]. PHP's date capabilities have improved since then, including support for ISO-8601 date formats.

Along with validating the inputs mentioned in the ticket description, the code should be rewritten to stop using MySQL to find the calendar month for week queries.

This ticket was mentioned in Slack in #core by noisysocks. View the logs.


4 years ago

#3 @markparnell
4 years ago

  • Component changed from General to Date/Time
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

Thanks @andy. Some sanity checks of the provided week and month values would definitely be worthwhile here. I'll leave the bigger question of whether to rewrite the process to use PHP date calculations instead of MySQL to others.

This ticket was mentioned in PR #8064 on WordPress/wordpress-develop by @pbearne.


7 weeks ago
#4

  • Keywords has-patch has-unit-tests added; needs-patch removed

Introduced comprehensive PHPUnit tests to cover various scenarios for the get_calendar() function. Enhanced input validation in get_calendar() to handle invalid week numbers and months, defaulting them to safe values when out of range.

#5 @pbearne
7 weeks ago

  • Owner set to pbearne
  • Status changed from new to assigned

Hi All

I have added some sanitation code and a load of tests

Paul

Last edited 7 weeks ago by pbearne (previous) (diff)

#6 @pbearne
7 weeks ago

  • Milestone changed from Future Release to 6.8
Note: See TracTickets for help on using tickets.