[wp-trac] [WordPress Trac] #45346: Varnish querystring.sort can break load-styles.php

WordPress Trac noreply at wordpress.org
Wed Nov 14 11:26:41 UTC 2018


#45346: Varnish querystring.sort can break load-styles.php
--------------------------+-----------------------------
 Reporter:  rabin.io      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.9.8
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 If one use Varnish with this snippet


 {{{
  # Sort the querystring parameters, so different orders of the same
 produce a single cache object.
   if (req.url ~ "\?") {
     set req.url = querystring.sort(req.url);
   }
 }}}

 And if load-styles.php get an array for the load parameter and this
 parameter is sorted, it can break the page by not loading all the style
 elements.

 e.g:
 this url

 {{{
 /load-styles.php?c=0&dir=rtl&load[]=dashicons,admin-bar,common,forms
 ,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-
 menus,wp-pointer,widgets&load[]=,site-icon,l10n,buttons&ver=4.9.8
 }}}

 the array will look like this after sorting

 {{{
     [load] => Array
         (
             [0] => dashicons,admin-bar,common,forms,admin-menu,dashboard
 ,list-tables,edit,revisions,media,themes,about,nav-menus,wp-
 pointer,widgets
             [1] => ,site-icon,l10n,buttons
         )

 }}}

 and the result will be,


 {{{
 Array
 (
     [0] =>
     [1] => site-icon
     [2] => l10n
     [3] => buttonsdashicons <-------- this is the problem
     [4] => admin-bar
     [5] => common
     [6] => forms
     [7] => admin-menu
     [8] => dashboard
     [9] => list-tables
     [10] => edit
     [11] => revisions
     [12] => media
     [13] => themes
     [14] => about
     [15] => nav-menus
     [16] => wp-pointer
     [17] => widgets
 )

 }}}

 the fix is very simple,

 {{{
 diff --git a/wp-admin/load-styles.php b/wp-admin/load-styles.php
 index de20881..f45cfe2 100644
 --- a/wp-admin/load-styles.php
 +++ b/wp-admin/load-styles.php
 @@ -20,7 +20,8 @@ require( ABSPATH . WPINC . '/version.php' );

  $load = $_GET['load'];
  if ( is_array( $load ) ) {
 -       $load = implode( '', $load );
 +       $load = array_map( function ($item) { return trim($item, ','); },
 $load );
 +       $load = implode( ',', $load );
  }
  $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
  $load = array_unique( explode( ',', $load ) );
 }}}

 but is it the right solution ?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45346>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list