WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 4 weeks ago

#43056 assigned defect (bug)

Notice in redirect_guess_404_permalink() when post type is an array

Reported by: junaidbhura Owned by: peterwilsoncc
Milestone: 5.6 Priority: normal
Severity: normal Version:
Component: Canonical Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

When manipulating URLs, it sometimes becomes necessary to update the query using the pre_get_posts hook.

If we set the post type to an array in the pre_get_posts hook like so:

$query->set( 'post_type', array( 'post', 'page', 'my_cpt' ) );

On a 404 page, we get a notice when WP_DEBUG is set to true:

Notice: wpdb::prepare was called incorrectly. The query only expected one placeholder, but an array of multiple placeholders was sent.

This is caused by the following code in redirect_guess_404_permalink():

$where .= $wpdb->prepare(" AND post_type = %s", get_query_var('post_type'));

This can be fixed by looking for an array and updating the query.

Attachments (4)

43056.diff (853 bytes) - added by junaidbhura 3 years ago.
canonical.php.patch (973 bytes) - added by Enchiridion 20 months ago.
43056.2.diff (949 bytes) - added by Enchiridion 17 months ago.
Small optimization added
43056.3.diff (865 bytes) - added by junaidbhura 7 weeks ago.

Download all attachments as: .zip

Change History (20)

@junaidbhura
3 years ago

#1 @junaidbhura
3 years ago

  • Keywords has-patch added

This ticket was mentioned in Slack in #core by junaidbhura. View the logs.


3 years ago

#3 @SergeyBiryukov
3 years ago

  • Milestone changed from Awaiting Review to 5.0

#4 @SergeyBiryukov
2 years ago

  • Milestone changed from 5.0 to 5.1

#5 @pento
20 months ago

  • Keywords needs-refresh added
  • Milestone changed from 5.1 to Future Release
  • Version trunk deleted

I suspect 43056.diff will introduce SQL injection issues. wpdb:prepare() won't put quotes around each element of the array being sent to it when replacing into the %s.

#6 @Enchiridion
20 months ago

This issue has been bugging me too. I've updated the patch with SQL escaping.

#7 @laternastudio
19 months ago

Would love to see this released soon!

#8 @Enchiridion
18 months ago

  • Keywords needs-refresh removed

This ticket was mentioned in Slack in #core by enchiridion. View the logs.


18 months ago

@Enchiridion
17 months ago

Small optimization added

This ticket was mentioned in Slack in #core by junaidbhura. View the logs.


7 weeks ago

#11 @SergeyBiryukov
7 weeks ago

  • Milestone changed from Future Release to 5.6

#12 @peterwilsoncc
7 weeks ago

I've taken a look at 43056.2.diff

The escaping looks good with esc_url, the post types are verified as legitimate in class-wp.php.

You'll notice that at the moment, the canonical guess function uses get_query_var( 'post_type' ) calls multiple times. This is to act as a safety switch so that the value of a variable isn't changed by mistake -- this can lead to problems ;)

Rather than putting the value in a variable, I think calling get_query_var( 'post_type' ) each time would an improvement.

@junaidbhura
7 weeks ago

#13 @junaidbhura
7 weeks ago

Nice catch @peterwilsoncc ! I've updated and attached a new diff, could you please take a look?

This ticket was mentioned in PR #480 on WordPress/wordpress-develop by peterwilsoncc.


5 weeks ago

  • Keywords has-unit-tests added

#15 @peterwilsoncc
5 weeks ago

  • Owner set to peterwilsoncc
  • Status changed from new to assigned

@junaidbhura I've modified your patch slightly in PR 480 on the GitHub repo:

  • The escaping was a little out, $wpdb->prepare() can't be used for IN so the query would have being incorrect, it would have looked for a post type of an apparently random concatenation of the post types. I've replaced that with the counter-intuitive method of correctly escaping LIKEs.
  • I've added some unit tests too for array formatted post types. I've used the publicly queryable post types in a query string rather than the pre_get_posts filter example in your initial report.

#16 @junaidbhura
4 weeks ago

Thanks @peterwilsoncc ! I've added a couple of comments on your PR. Could you please take a look?

Note: See TracTickets for help on using tickets.