Make WordPress Core

Opened 6 months ago

#58619 new defect (bug)

absint() causes unexpected behavior for metadata functions which use get_metadata_raw()

Reported by: michelleblanchette's profile michelleblanchette Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Options, Meta APIs Keywords:
Focuses: Cc:


I discovered this behavior when testing on WordPress version 5.6 and observed the logic flaw in the current code documentation.

In my instance, I have a function that is expected to retrieve a user ID and returns -1 as an error case. This can then end up being used with WordPress's get_user_meta() which eventually uses get_metadata_raw(). The use of absint() on the $object_id within this function causes unexpected behavior as my -1, an invalid object ID, is now interpreted as 1, a valid object ID.

I was expecting WordPress to treat the object ID as invalid if it was so, but it instead changed the value of my provided argument.

The offending code is here:

Please let me know if I'm misunderstanding the purpose of absint() within this function, but it seems like a sneaky rug pull gotcha. I believe the validation on L599 which includes ! is_numeric( $object_id ) should also include || $object_id < 0 to resolve this issue, as well as change L603 to use intval().

Change History (0)

Note: See TracTickets for help on using tickets.