WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#41011 new defect (bug)

get_calendar generates query with invalid date formats

Reported by: andy Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:
PR Number:

Description

Given a parameter like ?w=1400, which is obviously not a week number, get_calendar will try to compute the date 9799 days into the year. It would make sense to check that $w is in a valid range, such as not greater than 53.

At the same time, get_calendar does not check that $m is a valid date, resulting in $thisyear == '0' and a query of SELECT DATE_FORMAT((DATE_ADD('00101', INTERVAL 9799 DAY) ), '%m').

Change History (1)

#1 @andy
2 years ago

The overarching problem with this code block is that it relies on MySQL for date computation that can and should be done in PHP. MySQL's date computation may have been more convenient when get_calendar was written 14 years ago in [508]. PHP's date capabilities have improved since then, including support for ISO-8601 date formats.

Along with validating the inputs mentioned in the ticket description, the code should be rewritten to stop using MySQL to find the calendar month for week queries.

Note: See TracTickets for help on using tickets.