Make WordPress Core

Opened 6 months ago

#59588 new defect (bug)

False returned instead of default value on get_option with failure of unserializing data.

Reported by: cweberdc's profile cweberDC Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.3.2
Component: Widgets Keywords: needs-patch
Focuses: Cc:


Hello, I noticed a bug with the ability to load the customize screen of any theme if there is a malformed option value set.

I noticed from wp-includes/class-wp-customize-widgets.php


this performs an array_merge which throws an error with the 3rd argument being returned is not an array and instead false

in wp-includes/widgets.php


This calls

$sidebars_widgets = get_option( 'sidebars_widgets', array() );

I found that the end of the function in the apply_filters (line 255) is calling maybe_unserialize in the call. The issue with this is if the option value is malformed and the serializing returns False. That gets passed back to when it is trying to merge the arrays. I added some code as a test and it worked after I changed to the following

    $data = maybe_unserialize($value);

    if (!$data && $default_value !== false && gettype($data) !== gettype($default_value))
        $data = $default_value;

    return apply_filters( "option_{$option}", $data, $option );

The idea I tried to solve for is if a default value has been passed in but the value we are about to return is not what the receiving function is expecting then it should try to make sure it is at least passing back the expected type of the default value.

Attachments (1)

option.php (80.9 KB) - added by cweberDC 6 months ago.
option.php file with my code changes for example

Download all attachments as: .zip

Change History (1)

6 months ago

option.php file with my code changes for example

Note: See TracTickets for help on using tickets.