Improve parameter sanitization in WP_Date_Query::build_query().

* Don't run non-numeric values through intval() for sanitization; this transforms them into 1s and 0s, which can cause unintended results. * Be more generous about numeric array keys (don't require 0 and 1) in BETWEEN and NOT BETWEEN clauses. Fixes #29801. Built from https://develop.svn.wordpress.org/trunk@29797 git-svn-id: http://core.svn.wordpress.org/trunk@29566 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-03-09 07:00:01 +00:00 · 2014-09-30 14:04:18 +00:00 · 2014-09-30 14:04:18 +00:00 · 40dd52b228
commit 40dd52b228
parent bf52618636
1 changed files with 25 additions and 2 deletions
--- a/wp-includes/date.php
+++ b/wp-includes/date.php
@ -313,18 +313,41 @@ class WP_Date_Query {
 		switch ( $compare ) {
 			case 'IN':
 			case 'NOT IN':
-				return '(' . implode( ',', array_map( 'intval', (array) $value ) ) . ')';
+				$value = (array) $value;
+
+				// Remove non-numeric values.
+				$value = array_filter( $value, 'is_numeric' );
+
+				if ( empty( $value ) ) {
+					return false;
+				}
+
+				return '(' . implode( ',', array_map( 'intval', $value ) ) . ')';

 			case 'BETWEEN':
 			case 'NOT BETWEEN':
-				if ( ! is_array( $value ) || 2 != count( $value ) || ! isset( $value[0] ) || ! isset( $value[1] ) )
+				if ( ! is_array( $value ) || 2 != count( $value ) ) {
 					$value = array( $value, $value );
+				} else {
+					$value = array_values( $value );
+				}
+
+				// If either value is non-numeric, bail.
+				foreach ( $value as $v ) {
+					if ( ! is_numeric( $v ) ) {
+						return false;
+					}
+				}

 				$value = array_map( 'intval', $value );

 				return $value[0] . ' AND ' . $value[1];

 			default;
+				if ( ! is_numeric( $value ) ) {
+					return false;
+				}
+
 				return (int) $value;
 		}
 	}