WordPress.org
Get WordPress

Make WordPress Core

Opened 5 months ago

Last modified 5 months ago

#63910 new enhancement

In wp_switch_roles_and_user there is no cast to int applied to $new_site_id and $old_site_id

Reported by: eumene's profile eumene Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 4.9.8
Component: Networks and Sites Keywords:
Focuses: multisite Cc:

Description

In function wp_switch_roles_and_user in file wp-includes/ms-blogs.php there is the following if

<?php
if ( $new_site_id === $old_site_id ) {
                return;
}

In other cases, when WP is using a $site_id, it applies an int casting to be sure to use the right variable type - see funtions

populate_site_meta
get_instance in WP_Site class
....

I think you must add casting to both variables $new_site_id and $old_site_id before compare them using === operator or change the operator to ==

Thanks for your work

Diego

Attachments (1)

63910.patch (478 bytes) - added by rishabhwp 5 months ago.

Download all attachments as: .zip

Change History (3)

@rishabhwp
5 months ago

#1 @spacedmonkey
5 months ago

  • Version changed from 6.8.2 to 4.9

@eumene Can you provide some more complex on where this error happens? Are you calling this function in your own code and it is having issues?

In your own code, you could just do this. 

wp_switch_roles_and_user( (int) $new_site_id, (int) $old_site_id );

This code function is only called in one place in core. Here. It is hooked into the switch_blog action. Would be considing adding the casting of string to int in the action, like this.

do_action( 'switch_blog', (int) $new_blog_id, (int) $prev_blog_id, 'switch' );

Thoughts?

#2 @eumene
5 months ago

  • Severity changed from normal to minor
  • Type changed from defect (bug) to enhancement
  • Version changed from 4.9 to 4.9.8

Hi @spacedmonkey

This is just a suggestion to prevent my problem.

I'm working on an old WP multi-site installation, with custom code.
I'm updating it to newer WP version

I got an infinite loop calling Rest API.
In this case the custom code calls 

<?php
switch_to_blog(BLOG_ID_CURRENT_SITE);

but the old wp-config.php was 

<?php
define('SITE_ID_CURRENT_SITE', '1');
define('BLOG_ID_CURRENT_SITE', '1');

So, I changed it 

<?php
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

It works

But, surfing WP code, I found many (int) cast and I thought that WP core team want to handle this kind of config type error - searching for ") $site_id" in WP code.
Some example

wp-includes/ms-site.php

<?php
function wp_is_site_initialized( $site_id ) {
        global $wpdb;

        if ( is_object( $site_id ) ) {
                $site_id = $site_id->blog_id;
        }
        $site_id = (int) $site_id;

wp-includes/class-wp-site.php

<?php
        public static function get_instance( $site_id ) {
                global $wpdb;

                $site_id = (int) $site_id;
Note: See TracTickets for help on using tickets.