[wp-trac] [WordPress Trac] #59588: False returned instead of default value on get_option with failure of unserializing data.

WordPress Trac noreply at wordpress.org
Tue Oct 10 20:20:12 UTC 2023 

#59588: False returned instead of default value on get_option with failure of
unserializing data.
--------------------------+-----------------------------
 Reporter:  cweberDC      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Widgets       |    Version:  6.3.2
 Severity:  normal        |   Keywords:  needs-patch
  Focuses:                |
--------------------------+-----------------------------
 Hello, I noticed a bug with the ability to load the customize screen of
 any theme if there is a malformed option value set.

 I noticed from wp-includes/class-wp-customize-widgets.php

 {{{#!php
 <?php
 customize_register();
 }}}

 this performs an array_merge which throws an error with the 3rd argument
 being returned is not an array and instead `false`

 in wp-includes/widgets.php

 {{{#!php
 <?php
 wp_get_sidebars_widgets();
 }}}

 This calls

 {{{#!php
 <?php
 $sidebars_widgets = get_option( 'sidebars_widgets', array() );
 }}}

 I found that the end of the function in the `apply_filters` (line 255) is
 calling `maybe_unserialize` in the call. The issue with this is if the
 option value is malformed and the serializing returns `False`. That gets
 passed back to when it is trying to merge the arrays. I added some code as
 a test and it worked after I changed to the following

 {{{#!php
 <?php
     $data = maybe_unserialize($value);

     if (!$data && $default_value !== false && gettype($data) !==
 gettype($default_value))
         $data = $default_value;

     return apply_filters( "option_{$option}", $data, $option );
 }
 }}}

 The idea I tried to solve for is if a default value has been passed in but
 the value we are about to return is not what the receiving function is
 expecting then it should try to make sure it is at least passing back the
 expected type of the default value.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/59588>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list