Opened 14 months ago
#59588 new defect (bug)
False returned instead of default value on get_option with failure of unserializing data.
Reported by: | cweberDC | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.3.2 |
Component: | Widgets | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Hello, I noticed a bug with the ability to load the customize screen of any theme if there is a malformed option value set.
I noticed from wp-includes/class-wp-customize-widgets.php
<?php customize_register();
this performs an array_merge which throws an error with the 3rd argument being returned is not an array and instead false
in wp-includes/widgets.php
<?php wp_get_sidebars_widgets();
This calls
<?php $sidebars_widgets = get_option( 'sidebars_widgets', array() );
I found that the end of the function in the apply_filters
(line 255) is calling maybe_unserialize
in the call. The issue with this is if the option value is malformed and the serializing returns False
. That gets passed back to when it is trying to merge the arrays. I added some code as a test and it worked after I changed to the following
<?php $data = maybe_unserialize($value); if (!$data && $default_value !== false && gettype($data) !== gettype($default_value)) $data = $default_value; return apply_filters( "option_{$option}", $data, $option ); }
The idea I tried to solve for is if a default value has been passed in but the value we are about to return is not what the receiving function is expecting then it should try to make sure it is at least passing back the expected type of the default value.
option.php file with my code changes for example