From 40dd52b228e3cede582d9cf47a7abf0eabe3fddb Mon Sep 17 00:00:00 2001
From: Boone Gorges <boonebgorges@gmail.com>
Date: Tue, 30 Sep 2014 14:04:18 +0000
Subject: [PATCH] Improve parameter sanitization in
 WP_Date_Query::build_query().

* Don't run non-numeric values through intval() for sanitization; this transforms them into 1s and 0s, which can cause unintended results.
* Be more generous about numeric array keys (don't require 0 and 1) in BETWEEN and NOT BETWEEN clauses.

Fixes #29801.
Built from https://develop.svn.wordpress.org/trunk@29797


git-svn-id: http://core.svn.wordpress.org/trunk@29566 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/date.php | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/wp-includes/date.php b/wp-includes/date.php
index a060239ea3..1cf4c6da95 100644
--- a/wp-includes/date.php
+++ b/wp-includes/date.php
@@ -313,18 +313,41 @@ class WP_Date_Query {
 		switch ( $compare ) {
 			case 'IN':
 			case 'NOT IN':
-				return '(' . implode( ',', array_map( 'intval', (array) $value ) ) . ')';
+				$value = (array) $value;
+
+				// Remove non-numeric values.
+				$value = array_filter( $value, 'is_numeric' );
+
+				if ( empty( $value ) ) {
+					return false;
+				}
+
+				return '(' . implode( ',', array_map( 'intval', $value ) ) . ')';
 
 			case 'BETWEEN':
 			case 'NOT BETWEEN':
-				if ( ! is_array( $value ) || 2 != count( $value ) || ! isset( $value[0] ) || ! isset( $value[1] ) )
+				if ( ! is_array( $value ) || 2 != count( $value ) ) {
 					$value = array( $value, $value );
+				} else {
+					$value = array_values( $value );
+				}
+
+				// If either value is non-numeric, bail.
+				foreach ( $value as $v ) {
+					if ( ! is_numeric( $v ) ) {
+						return false;
+					}
+				}
 
 				$value = array_map( 'intval', $value );
 
 				return $value[0] . ' AND ' . $value[1];
 
 			default;
+				if ( ! is_numeric( $value ) ) {
+					return false;
+				}
+
 				return (int) $value;
 		}
 	}