[wp-trac] [WordPress Trac] #58619: absint() causes unexpected behavior for metadata functions which use get_metadata_raw()
WordPress Trac
noreply at wordpress.org
Sun Jun 25 22:12:44 UTC 2023
#58619: absint() causes unexpected behavior for metadata functions which use
get_metadata_raw()
--------------------------------+-----------------------------
Reporter: michelleblanchette | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Options, Meta APIs | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------------+-----------------------------
I discovered this behavior when testing on WordPress version 5.6 and
observed the logic flaw in the current code documentation.
In my instance, I have a function that is expected to retrieve a user ID
and returns -1 as an error case. This can then end up being used with
WordPress's get_user_meta() which eventually uses get_metadata_raw(). The
use of absint() on the $object_id within this function causes unexpected
behavior as my -1, an invalid object ID, is now interpreted as 1, a valid
object ID.
I was expecting WordPress to treat the object ID as invalid if it was so,
but it instead changed the value of my provided argument.
The offending code is here:
https://core.trac.wordpress.org/browser/tags/6.2/src/wp-
includes/meta.php#L603
Please let me know if I'm misunderstanding the purpose of absint() within
this function, but it seems like a sneaky rug pull gotcha. I believe the
validation on L599 which includes {{{ ! is_numeric( $object_id ) }}}
should also include {{{ || $object_id < 0 }}} to resolve this issue, as
well as change L603 to use intval().
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58619>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list