[wp-trac] [WordPress Trac] #60745: WP_Query::parse_query() does not handle invalid query arg values
WordPress Trac
noreply at wordpress.org
Wed Jul 17 18:06:35 UTC 2024
#60745: WP_Query::parse_query() does not handle invalid query arg values
--------------------------------------------+------------------------------
Reporter: xknown | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Query | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests php80 | Focuses:
--------------------------------------------+------------------------------
Comment (by dmsnell):
I agree with @jrf that it's valuable to surface errors like these,
especially if they are mistakes by developers. I also agree with @xknown
and @josephscott that mistakes or malicious probing should not break a
website. In any case where a site owner doesn't have control over the
code, I don't think WordPress should punish them for something a develop
or attacker did.
Is this not why we have `_doing_it_wrong()`? I could easily imagine adding
a method to parse the argument type, which allows us to declare the
expected type of each argument, and that method could notify developers
while allowing sites to continue in potentially-degraded form.
I will point out that the proposed patch is not introducing any //change//
in how invalid values are handled. The diff view makes it look bigger
because of the required whitespace changes from the linting rules, but
this patch merely continues examining parameters that previously were
overlooked, following the exact pattern. So if we say it's wrong to
validate, we should probably open a ticket and propose changing what was
proposed in [53891].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60745#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list