Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Date querystring parameter is not being sanitized correctly #3821

Draft
wants to merge 3 commits into
base: trunk
Choose a base branch
from
Draft

Date querystring parameter is not being sanitized correctly #3821

wants to merge 3 commits into from

Conversation

peterwilsoncc
Copy link
Contributor

@Jankyz
Copy link

Jankyz commented Oct 2, 2023

Hi, how can I help with that? I've noticed a lot of errors in our organization related to this solution.

Jankyz
Jankyz reviewed Oct 2, 2023
View reviewed changes
Copy link

@Jankyz Jankyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just some suggestions and minors

src/wp-includes/class-wp.php
@@ -367,6 +367,99 @@ public function parse_request( $extra_query_vars = '' ) {
}
}

// Prevent invalid date queries.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (if-minor): it would be nice to move this validation to a separate class, wdyt ?

src/wp-includes/class-wp.php
}
}

$day_month_year_error_msg = '';
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: to rm you don't use this variable in code

src/wp-includes/class-wp.php
Comment on lines +441 to +443
$day_exists = array_key_exists( 'day', $this->query_vars ) && is_numeric( $this->query_vars['day'] );
$month_exists = array_key_exists( 'monthnum', $this->query_vars ) && is_numeric( $this->query_vars['monthnum'] );
$year_exists = array_key_exists( 'year', $this->query_vars ) && is_numeric( $this->query_vars['year'] );
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thought (if-minor): I would change the redundat variables into function also recommend using isset it also checks value is not null

Suggested change
$day_exists = array_key_exists( 'day', $this->query_vars ) && is_numeric( $this->query_vars['day'] );
$month_exists = array_key_exists( 'monthnum', $this->query_vars ) && is_numeric( $this->query_vars['monthnum'] );
$year_exists = array_key_exists( 'year', $this->query_vars ) && is_numeric( $this->query_vars['year'] );
$is_value_exists = function(string $value) {
return isset( $this->query_vars[$value] ) && is_numeric( $this->query_vars[$value] );
};

src/wp-includes/class-wp.php
$month_exists = array_key_exists( 'monthnum', $this->query_vars ) && is_numeric( $this->query_vars['monthnum'] );
$year_exists = array_key_exists( 'year', $this->query_vars ) && is_numeric( $this->query_vars['year'] );

if ( $day_exists && $month_exists && $year_exists ) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then

Suggested change
if ( $day_exists && $month_exists && $year_exists ) {
if ( $is_value_exists('day') && $is_value_exists('monthnum') && $is_value_exists('year') ) {

src/wp-includes/class-wp.php
unset( $this->query_vars['monthnum'] );
unset( $this->query_vars['year'] );
}
} elseif ( $day_exists && $month_exists ) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
} elseif ( $day_exists && $month_exists ) {
} elseif ( $is_value_exists('day') && $is_value_exists('monthnum') ) {

@peterwilsoncc
Copy link
Contributor Author

Hi, how can I help with that? I've noticed a lot of errors in our organization related to this solution.

Unfortunately it ended up breaking a canonical redirects, http://wp-dev.local/2023/09/51 is meant to redirect to http://wp-dev.local/2023/09/ but on this branch it no longer does.

I think what is needed is to prevent WP_Date_Query from logging notices on the main query (ie, the query formed by a site visitors request to an invalid URL) but continue to logging them for developers calling WP_Query with invalid date parameters.

Unfortunately, WP_Date_Query doesn't have access to whether it's the main query. This could be done by changing the constructor but it seems a little bit of overkill.

Are the errors you are seeing coming from visitors entering incorrect values in the URL or due to calls within your code to WP_Query?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jankyz Jankyz Jankyz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@peterwilsoncc @Jankyz