From 4a7bcc14e47cb0f8a4c5e5764b7f6129432f421c Mon Sep 17 00:00:00 2001
From: Peter Wilson <wilson@peterwilson.cc>
Date: Mon, 2 May 2022 00:14:29 +0000
Subject: [PATCH] Users: Validate `WP_User_Query`'s `fields` argument.

Improve validation of `WP_User_Query`'s `fields` argument when passed as an array to ensure it only accepts permitted values. This prevents the invalid values being included in the generated database query.

Expand unit tests to include passing invalid values as part of an array, the lower case value `id`. Correct earlier unit tests to limit database query to one result.

Follow up to [53255].

Props felipeelia.
Fixes #53177.


Built from https://develop.svn.wordpress.org/trunk@53327


git-svn-id: http://core.svn.wordpress.org/trunk@52916 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-user-query.php | 10 ++++++++--
 wp-includes/version.php             |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/wp-includes/class-wp-user-query.php b/wp-includes/class-wp-user-query.php
index 3d6b28bcc3..050b2822f6 100644
--- a/wp-includes/class-wp-user-query.php
+++ b/wp-includes/class-wp-user-query.php
@@ -285,7 +285,11 @@ class WP_User_Query {
 		);
 
 		if ( is_array( $qv['fields'] ) ) {
-			$qv['fields'] = array_unique( $qv['fields'] );
+			$qv['fields'] = array_intersect( array_unique( $qv['fields'] ), $allowed_fields );
+
+			if ( empty( $qv['fields'] ) ) {
+				$qv['fields'] = array( 'ID' );
+			}
 
 			$this->query_fields = array();
 			foreach ( $qv['fields'] as $field ) {
@@ -293,8 +297,10 @@ class WP_User_Query {
 				$this->query_fields[] = "$wpdb->users.$field";
 			}
 			$this->query_fields = implode( ',', $this->query_fields );
-		} elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) {
+		} elseif ( 'all' === $qv['fields'] ) {
 			$this->query_fields = "$wpdb->users.*";
+		} elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) {
+			$this->query_fields = "$wpdb->users.ID";
 		} else {
 			$field              = 'ID' === $qv['fields'] ? 'ID' : sanitize_key( $qv['fields'] );
 			$this->query_fields = "$wpdb->users.$field";
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 0afa0da6d4..96234ef865 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.0-beta3-53326';
+$wp_version = '6.0-beta3-53327';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.