Make WordPress Core

Opened 22 months ago

Last modified 22 months ago

#58057 new defect (bug)

Replace loose comparison operator in plugins.php

Reported by: sharif200's profile sharif200 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.3
Component: Plugins Keywords: has-patch changes-requested
Focuses: coding-standards Cc:

Description

The code is using a loose comparison operator (==) instead of a strict comparison operator (===). The difference between these operators is that a strict comparison checks for both value and data type, while a loose comparison only checks for value. This can lead to unexpected behavior and potential security vulnerabilities in the code.

Change History (2)

This ticket was mentioned in PR #4289 on WordPress/wordpress-develop by @sharif200.


22 months ago
#1

  • Keywords has-patch added; needs-patch removed

This pull request replaces a loose comparison operator in the WordPress file /wp-admin/plugins.php on line 498 with a strict comparison operator. The current code is using == to compare two values, which can lead to unexpected behavior and security vulnerabilities. The updated code uses === to perform a strict comparison, ensuring that the values being compared are of the same data type. This improves the security and reliability of the code.

This pull request replaces a loose comparison operator in the WordPress file /wp-admin/plugins.php on line 498 with a strict comparison operator. The current code is using == to compare two values, which can lead to unexpected behavior and security vulnerabilities. The updated code uses === to perform a strict comparison, ensuring that the values being compared are of the same data type. This improves the security and reliability of the code.

Trac ticket:
https://core.trac.wordpress.org/ticket/58057

#2 @SergeyBiryukov
22 months ago

  • Component changed from General to Plugins
  • Keywords changes-requested added

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

If you take a look at the comment directly above the line in question, it explains why strict comparison is not used here:

// Return early if all selected plugins already have auto-updates enabled or disabled.
// Must use non-strict comparison, so that array order is not treated as significant.

So while something сould be done to replace the non-strict comparison in this code, simply using a strict comparison does not appear to be the correct solution here, as it will no longer work if the array order is different.

Introduced in [47835] / #50052.

Note: See TracTickets for help on using tickets.