[wp-trac] [WordPress Trac] #11509: sanitize_user_object() throws fatal error on user property objects
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 19 17:06:26 UTC 2009
#11509: sanitize_user_object() throws fatal error on user property objects
--------------------------+-------------------------------------------------
Reporter: filosofo | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Users | Version: 2.9
Severity: normal | Keywords: sanitize_user_object
--------------------------+-------------------------------------------------
Suppose a plugin has serialized an object and saved it as user-meta data.
(I'm not saying this is a good idea, but other people are doing it).
{{{get_user_to_edit()}}} gets the user data as an object with that now-
unserialized-object as a property of the user object. Then it passes the
user object to {{{sanitize_user_object()}}}.
{{{sanitize_user_object()}}} currently loops through each property of the
user object and if the property is not an array, it attempts to sanitize
it. When the property is an object, you get a fatal error trying to cast
the object to a string.
My patch, rather than excluding arrays, only attempts to sanitize things
that are strings or numbers.
You're probably thinking, "if checking for objects is the problem, why not
just call {{{is_object()}}}?" The problem is that if the serialized
object is of an object type that is no longer defined, {{{is_object()}}}
returns false. This could happen in the case in which a plugin saves the
serialized object as user meta data, and then the plugin is deactivated.
Then you end up with something that's a {{{__PHP_Incomplete_Class}}}, a
non-object object.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11509>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list