[wp-trac] [WordPress Trac] #33341: WP_Meta_Query IN operator with empty array does not return expected result
WordPress Trac
noreply at wordpress.org
Mon Apr 26 10:38:33 UTC 2021
#33341: WP_Meta_Query IN operator with empty array does not return expected result
--------------------------+-----------------------
Reporter: flixos90 | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Query | Version: 3.2
Severity: critical | Resolution:
Keywords: dev-feedback | Focuses:
--------------------------+-----------------------
Changes (by patkemper):
* status: closed => reopened
* resolution: wontfix =>
* severity: normal => critical
Comment:
Well, it's have been several years now and this is still an issue.
I don't know, whether it's just me, but this bug is critical, as it causes
a severe security issue. As you can see, WordPress isn't handling empty
arrays properly, which causes the query to fetch the full dataset.
This faulty behavior might get you in big trouble, if you are not aware of
this.
Example situation: Imagine saving sensitive data using a custom post type.
Associate some of them to specific users. Users who have just no
assiciation might see all the data.
For anyone, who needs a quick fix. This will set the value of the meta-
query to [-1], if the value is empty:
{{{#!php
<?php
function custom_query($query) {
$the_meta_query = $query->get( 'meta_query' );
if( is_array( $the_meta_query ) ) {
foreach( $the_meta_query as $id => $meta_query ) {
if ( isset( $meta_query[ 'compare' ] ) && isset( $meta_query [
'value' ] ) ) {
if ( $meta_query[ 'compare' ] == 'IN' ) {
if ( empty( $meta_query[ 'value' ] ) ) {
$the_meta_query[ $id ][ 'value' ] = [ -1 ];
$query->set( 'meta_query', $the_meta_query );
}
}
}
}
}
}
add_action( 'pre_get_posts', 'custom_query' );
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33341#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list