[wp-trac] [WordPress Trac] #54160: sanitize_key() / _wp_customize_include() is not able to handle non-scalar values

WordPress Trac noreply at wordpress.org
Tue Dec 14 14:59:47 UTC 2021 

#54160: sanitize_key() / _wp_customize_include() is not able to handle non-scalar
values
---------------------------------------------+-----------------------------
 Reporter:  dd32                             |       Owner:  hellofromTonya
     Type:  defect (bug)                     |      Status:  closed
 Priority:  normal                           |   Milestone:  5.9
Component:  Formatting                       |     Version:
 Severity:  normal                           |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests commit  |     Focuses:
---------------------------------------------+-----------------------------
Changes (by hellofromTonya):

 * status:  reopened => closed
 * resolution:   => fixed


Comment:

 In [changeset:"52370" 52370]:
 {{{
 #!CommitTicketReference repository="" revision="52370"
 Formatting: Use `is_scalar()` in `sanitize_key()`.

 This is a follow-up to [52292] which introduced `is_string()` to check the
 given key is a string to be sanitized, else the key is set to an empty
 string.

 `sanitize_key()` is clearly identified (in the documentation) to only work
 with ''string'' keys. However, it had a bug in it that allowed non-strings
 to pass through it:
 * A non-scalar "key" would throw a PHP Warning (which was resolved in
 [52292].
 * A non-string scalar "key" was handled by the PHP native `strtolower()`
 which converted it into a string.

 While `is_string()` is valid, non-string scalar types passed as the key to
 be sanitized were being set to an empty string. Given that `strtolower()`
 handles these without error or deprecation as of PHP 8.1, `is_scalar()`
 protects the website from issues while retaining the past behavior of
 converting integer keys (for example) into a string.

 Changes include:
 * Using `is_scalar()` instead of `is_string()`
 * Refactor for readability and less code
 * More tests

 Please note, this does not change the behavior of the function, nor
 redefine it to now accept non-string scalars.

 References:
 * https://developer.wordpress.org/reference/functions/sanitize_key/
 * https://www.php.net/manual/en/function.strtolower.php

 Follow-up [52292].

 Props wppunk, hellofromTonya, costdev, jrf.
 Fixes #54160.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54160#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list