Opened 2 weeks ago
Last modified 8 days ago
#63273 new defect (bug)
Fatal due to superglobal $_POST modification with invalid int type
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 6.9 | Priority: | normal |
| Severity: | major | Version: | |
| Component: | Posts, Post Types | Keywords: | has-patch |
| Focuses: | Cc: |
Description
By default PHP's $_POST and $_GET superglobals can only contain string and array types.
Unfortunately, WordPress overwrites the superglobals though and thereby sets keys with invalid int values. e.g. when updating a page/post /wp-admin/post.php?post=123&action=edit it will set user_ID, post_author,... see https://github.com/WordPress/wordpress-develop/blame/trunk/src/wp-admin/includes/post.php#L63
When using strict_types=1 in a file and processing the $_POST data with a function that expects a string type, you'll get a fatal error.
If it's a non-WP form, which might use the same keys (e.g. ID or user_ID) means that extra handling needs to be added to plugin/theme code to ensure it works in both cases without fatal (and ignoring 1000s of errors from static analysis, which tells me that $_POST values cannot be int)
Change History (2)
This ticket was mentioned in PR #8718 on WordPress/wordpress-develop by @sukhendu2002.
8 days ago
#2
- Keywords has-patch added; needs-patch removed
Trac ticket: https://core.trac.wordpress.org/ticket/63273
Thanks for the report, @kkmuffme. I'm moving this to the 6.9 milestone for consideration since this is an existing issue and not something that is the result of a change during 6.8.
If anyone wants to do some investigation to see if there are other places where WP is overwriting globals in this way which need to be fixed at the same time, that would be super helpful.