Make WordPress Core

Opened 18 months ago

Last modified 12 months ago

#58619 assigned defect (bug)

absint() causes unexpected behavior for metadata functions which use get_metadata_raw()

Reported by: michelleblanchette's profile michelleblanchette Owned by: pbearne's profile pbearne
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Options, Meta APIs Keywords: has-patch
Focuses: Cc:

Description

I discovered this behavior when testing on WordPress version 5.6 and observed the logic flaw in the current code documentation.

In my instance, I have a function that is expected to retrieve a user ID and returns -1 as an error case. This can then end up being used with WordPress's get_user_meta() which eventually uses get_metadata_raw(). The use of absint() on the $object_id within this function causes unexpected behavior as my -1, an invalid object ID, is now interpreted as 1, a valid object ID.

I was expecting WordPress to treat the object ID as invalid if it was so, but it instead changed the value of my provided argument.

The offending code is here: https://core.trac.wordpress.org/browser/tags/6.2/src/wp-includes/meta.php#L603

Please let me know if I'm misunderstanding the purpose of absint() within this function, but it seems like a sneaky rug pull gotcha. I believe the validation on L599 which includes ! is_numeric( $object_id ) should also include || $object_id < 0 to resolve this issue, as well as change L603 to use intval().

Change History (2)

#1 @pbearne
12 months ago

  • Owner set to pbearne
  • Status changed from new to assigned

This ticket was mentioned in PR #5790 on WordPress/wordpress-develop by @pbearne.


12 months ago
#2

  • Keywords has-patch added

Improved the validation of object_id in the get_metadata_raw function by checking if it's a positive integer. This is done using the filter_var PHP function with FILTER_VALIDATE_INT and specifying a minimum range of 0.

Note: See TracTickets for help on using tickets.