[wp-trac] [WordPress Trac] #55216: CPT slug value conflicts with wp-admin

WordPress Trac noreply at wordpress.org
Mon Feb 21 14:58:55 UTC 2022 

#55216: CPT slug value conflicts with wp-admin
----------------------------+-----------------------------
 Reporter:  drzraf          |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Query           |    Version:  5.9
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 There is no such thing as a custom-post-type slug blacklist: **WordPress
 assumes any slug is ok**, but this is not the case.
 **A badly chosen slug can result into strange behaviors and hard-to-spot
 issues**

 I'm reporting about the _"action"_ slug: Defining such a CPT results in a
 non-working admin-search (no results or inadequate results).

 The chain of events is the following: When using admin-side search, this
 kind of URL is generated and routed by WP:
 `wp-
 admin/edit.php?s=foobar&post_status=all&post_type=page&action=-1&m=0&paged=1&action2=-1`

 Inside `Wp::parse_request()` there is a loop (l. 300) going over
 `public_query_vars` (which includes every slug, every permastruct + built-
 in query parameters)

 If this parameter is set (eg: `action=-1` while an _"action"_ CPT is
 defined), then `$this->query_vars['name']` is set to the value.

 The resulting SQL request is
 {{{
 SELECT wp_posts.ID, wp_posts.post_parent FROM wp_posts  WHERE 1=1  AND
 wp_posts.post_name = '1' AND (((wp_posts.post_title LIKE '%foobar%') OR
 (wp_posts.post_excerpt LIKE '%foobar%') OR (wp_posts.post_content LIKE
 '%foobar%')))  AND wp_posts.post_type = 'page'  ORDER BY
 wp_posts.menu_order ASC, wp_posts.post_title ASC
 }}}

 This part `wp_posts.post_name = '1'` (where "1" is the transformation of
 "-1") keeps corrects records from being retrieved.


 I see two options:
 - One is documenting an official keyword list of the forbidden slug (could
 even be hardcoded and trigger an error)
 - Another is fixing the router so that built-in parameters do not collide
 with slug-derived one. admin-side search is one such place where this
 collision exists but others _may_ exist

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55216>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list