Make WordPress Core

Opened 7 years ago

Last modified 4 years ago

#41011 new defect (bug)

get_calendar generates query with invalid date formats

Reported by: andy's profile andy Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Date/Time Keywords: needs-patch
Focuses: Cc:

Description

Given a parameter like ?w=1400, which is obviously not a week number, get_calendar will try to compute the date 9799 days into the year. It would make sense to check that $w is in a valid range, such as not greater than 53.

At the same time, get_calendar does not check that $m is a valid date, resulting in $thisyear == '0' and a query of SELECT DATE_FORMAT((DATE_ADD('00101', INTERVAL 9799 DAY) ), '%m').

Change History (3)

#1 @andy
7 years ago

The overarching problem with this code block is that it relies on MySQL for date computation that can and should be done in PHP. MySQL's date computation may have been more convenient when get_calendar was written 14 years ago in [508]. PHP's date capabilities have improved since then, including support for ISO-8601 date formats.

Along with validating the inputs mentioned in the ticket description, the code should be rewritten to stop using MySQL to find the calendar month for week queries.

This ticket was mentioned in Slack in #core by noisysocks. View the logs.


4 years ago

#3 @markparnell
4 years ago

  • Component changed from General to Date/Time
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

Thanks @andy. Some sanity checks of the provided week and month values would definitely be worthwhile here. I'll leave the bigger question of whether to rewrite the process to use PHP date calculations instead of MySQL to others.

Note: See TracTickets for help on using tickets.