From 0b81d79c868a3ed3eedbee53805f1cdad5d90351 Mon Sep 17 00:00:00 2001
From: Boone Gorges <boonebgorges@gmail.com>
Date: Fri, 26 Aug 2016 19:09:27 +0000
Subject: [PATCH] Don't improperly cast IDs when fetching post, user, or term
 objects.

Blindly casting passed IDs to integers can generate false positives
when the ID is cast to `1`.

Props deeptiboddapati.
Fixes #37738.
Built from https://develop.svn.wordpress.org/trunk@38381


git-svn-id: http://core.svn.wordpress.org/trunk@38322 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-comment.php | 5 +++--
 wp-includes/class-wp-post.php    | 6 ++++--
 wp-includes/class-wp-term.php    | 5 +++--
 wp-includes/version.php          | 2 +-
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/wp-includes/class-wp-comment.php b/wp-includes/class-wp-comment.php
index 0e9f88a352..80ef9bb1d3 100644
--- a/wp-includes/class-wp-comment.php
+++ b/wp-includes/class-wp-comment.php
@@ -191,11 +191,12 @@ final class WP_Comment {
 	public static function get_instance( $id ) {
 		global $wpdb;
 
-		$comment_id = (int) $id;
-		if ( ! $comment_id ) {
+		if ( ! is_numeric( $id ) || $id != floor( $id ) || ! $id ) {
 			return false;
 		}
 
+		$comment_id = (int) $id;
+
 		$_comment = wp_cache_get( $comment_id, 'comment' );
 
 		if ( ! $_comment ) {
diff --git a/wp-includes/class-wp-post.php b/wp-includes/class-wp-post.php
index 5904e588d0..a21776f192 100644
--- a/wp-includes/class-wp-post.php
+++ b/wp-includes/class-wp-post.php
@@ -210,9 +210,11 @@ final class WP_Post {
 	public static function get_instance( $post_id ) {
 		global $wpdb;
 
-		$post_id = (int) $post_id;
-		if ( ! $post_id )
+		if ( ! is_numeric( $post_id ) || $post_id != floor( $post_id ) || ! $post_id ) {
 			return false;
+		}
+
+		$post_id = (int) $post_id;
 
 		$_post = wp_cache_get( $post_id, 'posts' );
 
diff --git a/wp-includes/class-wp-term.php b/wp-includes/class-wp-term.php
index 8eb87efbe0..6cb4a15bd8 100644
--- a/wp-includes/class-wp-term.php
+++ b/wp-includes/class-wp-term.php
@@ -125,11 +125,12 @@ final class WP_Term {
 	public static function get_instance( $term_id, $taxonomy = null ) {
 		global $wpdb;
 
-		$term_id = (int) $term_id;
-		if ( ! $term_id ) {
+		if ( ! is_numeric( $term_id ) || $term_id != floor( $term_id ) || ! $term_id ) {
 			return false;
 		}
 
+		$term_id = (int) $term_id;
+
 		$_term = wp_cache_get( $term_id, 'terms' );
 
 		// If there isn't a cached version, hit the database.
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 55e512c51f..d8cff06f00 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.7-alpha-38380';
+$wp_version = '4.7-alpha-38381';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.