[wp-trac] [WordPress Trac] #51094: WP_Query.query with invalid post_status will return all

WordPress Trac noreply at wordpress.org
Mon Oct 26 21:49:15 UTC 2020


#51094: WP_Query.query with invalid post_status will return all
--------------------------+------------------------------
 Reporter:  carsonreinke  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Query         |     Version:  trunk
 Severity:  critical      |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+------------------------------
Changes (by metalandcoffee):

 * keywords:   => needs-patch


Comment:

 I've also confirmed this issue. I tested the bug all the way back to
 WordPress version 3.9 and it was still an issue. Maybe this has always
 been a thing?

 It looks like the logic inside of `WP_Query`'s `get_posts` method (`wp-
 includes/class-wp-query.php`) only accommodates for the following cases:

 1. No post_status argument was provided in the new `WP_query` object so it
 generates the SQL statement with the default values ('publish' or
 'private'):
 Example: `new WP_Query( array( 'author' => '1') );`

 Generated SQL:
 `SELECT SQL_CALC_FOUND_ROWS  wp_posts.ID FROM wp_posts  WHERE 1=1  AND
 wp_posts.post_author IN (1)  AND wp_posts.post_type = 'post' AND
 (wp_posts.post_status = 'publish' OR wp_posts.post_status = 'private')
 ORDER BY wp_posts.post_date DESC LIMIT 0, 10`

 2. A post_status argument is provided in the new `WP_query` object and
 matches one of the available post statuses.
 Example: `new WP_Query( array( 'post_status' => 'publish') );`

 Generated SQL:
 `SELECT SQL_CALC_FOUND_ROWS  wp_posts.ID FROM wp_posts  WHERE 1=1  AND
 wp_posts.post_type = 'post' AND ((wp_posts.post_status = 'publish'))
 ORDER BY wp_posts.post_date DESC LIMIT 0, 10`

 It doesn't accommodate for the case where a post_status argument is
 provided but it doesn't match any of the available post statuses.

 So in that case, because none of the conditionals are met in order to
 append one of the relevant post_status SQL conditonals, the following SQL
 is generated:
 `SELECT SQL_CALC_FOUND_ROWS  wp_posts.ID FROM wp_posts  WHERE 1=1  AND
 wp_posts.post_type = 'post'  ORDER BY wp_posts.post_date DESC LIMIT 0, 10`

 Which obviously results in all posts being returned.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51094#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list