New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Date querystring parameter is not being sanitized correctly #3821
base: trunk
Are you sure you want to change the base?
Date querystring parameter is not being sanitized correctly #3821
Conversation
0d81b53
to
950ee10
Compare
Hi, how can I help with that? I've noticed a lot of errors in our organization related to this solution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just some suggestions and minors
@@ -367,6 +367,99 @@ public function parse_request( $extra_query_vars = '' ) { | |||
} | |||
} | |||
|
|||
// Prevent invalid date queries. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion (if-minor): it would be nice to move this validation to a separate class, wdyt ?
} | ||
} | ||
|
||
$day_month_year_error_msg = ''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: to rm you don't use this variable in code
$day_exists = array_key_exists( 'day', $this->query_vars ) && is_numeric( $this->query_vars['day'] ); | ||
$month_exists = array_key_exists( 'monthnum', $this->query_vars ) && is_numeric( $this->query_vars['monthnum'] ); | ||
$year_exists = array_key_exists( 'year', $this->query_vars ) && is_numeric( $this->query_vars['year'] ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thought (if-minor): I would change the redundat variables into function also recommend using isset
it also checks value is not null
$day_exists = array_key_exists( 'day', $this->query_vars ) && is_numeric( $this->query_vars['day'] ); | |
$month_exists = array_key_exists( 'monthnum', $this->query_vars ) && is_numeric( $this->query_vars['monthnum'] ); | |
$year_exists = array_key_exists( 'year', $this->query_vars ) && is_numeric( $this->query_vars['year'] ); | |
$is_value_exists = function(string $value) { | |
return isset( $this->query_vars[$value] ) && is_numeric( $this->query_vars[$value] ); | |
}; |
$month_exists = array_key_exists( 'monthnum', $this->query_vars ) && is_numeric( $this->query_vars['monthnum'] ); | ||
$year_exists = array_key_exists( 'year', $this->query_vars ) && is_numeric( $this->query_vars['year'] ); | ||
|
||
if ( $day_exists && $month_exists && $year_exists ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then
if ( $day_exists && $month_exists && $year_exists ) { | |
if ( $is_value_exists('day') && $is_value_exists('monthnum') && $is_value_exists('year') ) { |
unset( $this->query_vars['monthnum'] ); | ||
unset( $this->query_vars['year'] ); | ||
} | ||
} elseif ( $day_exists && $month_exists ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} elseif ( $day_exists && $month_exists ) { | |
} elseif ( $is_value_exists('day') && $is_value_exists('monthnum') ) { |
Unfortunately it ended up breaking a canonical redirects, I think what is needed is to prevent Unfortunately, Are the errors you are seeing coming from visitors entering incorrect values in the URL or due to calls within your code to |
https://core.trac.wordpress.org/ticket/56311