Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#55216 closed defect (bug) (duplicate)

CPT slug value conflicts with wp-admin

Reported by: drzraf's profile drzraf Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.9
Component: Query Keywords:
Focuses: administration Cc:


There is no such thing as a custom-post-type slug blacklist: WordPress assumes any slug is ok, but this is not the case.
A badly chosen slug can result into strange behaviors and hard-to-spot issues

I'm reporting about the _"action"_ slug: Defining such a CPT results in a non-working admin-search (no results or inadequate results).

The chain of events is the following: When using admin-side search, this kind of URL is generated and routed by WP:

Inside Wp::parse_request() there is a loop (l. 300) going over public_query_vars (which includes every slug, every permastruct + built-in query parameters)

If this parameter is set (eg: action=-1 while an _"action"_ CPT is defined), then $this->query_vars['name'] is set to the value.

The resulting SQL request is

SELECT wp_posts.ID, wp_posts.post_parent FROM wp_posts  WHERE 1=1  AND wp_posts.post_name = '1' AND (((wp_posts.post_title LIKE '%foobar%') OR (wp_posts.post_excerpt LIKE '%foobar%') OR (wp_posts.post_content LIKE '%foobar%')))  AND wp_posts.post_type = 'page'  ORDER BY wp_posts.menu_order ASC, wp_posts.post_title ASC

This part wp_posts.post_name = '1' (where "1" is the transformation of "-1") keeps corrects records from being retrieved.

I see two options:

  • One is documenting an official keyword list of the forbidden slug (could even be hardcoded and trigger an error)
  • Another is fixing the router so that built-in parameters do not collide with slug-derived one. admin-side search is one such place where this collision exists but others _may_ exist

Change History (1)

#1 @SergeyBiryukov
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, thanks for the ticket!

There is no such thing as a custom-post-type slug blacklist

There is an official list of keywords that should not be used as post type or taxonomy slugs: Reserved Terms.

That said, register_post_type() indeed does not trigger a warning if any of the reserved terms is used as a slug. This was previously suggested in #31154, let's continue the discussion there.

Also related/duplicate: #33125.

Note: See TracTickets for help on using tickets.