[wp-trac] [WordPress Trac] #57138: Sanitize attachment ID in media.php
WordPress Trac
noreply at wordpress.org
Thu Nov 17 22:32:01 UTC 2022
#57138: Sanitize attachment ID in media.php
--------------------------+-----------------------------
Reporter: jaedm97 | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Media | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: has-patch | Focuses: administration
--------------------------+-----------------------------
Changes (by peterwilsoncc):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
I agree with @SergeyBiryukov that casting to `int` makes the call to
`sanitize_text_field()` redundant.
If, after type casting, the value is cast to zero then the
`current_user_can()` check that follows will fail and prevent the user
proceeding.
At times sanitization can be quite nuanced and this is one of those cases:
as a rule casting to a numeric value is considered safe.
I'm going to close this ticket off without a fix but I really appreciate
you suggesting the hardening measure.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57138#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list