From 644434666e65dcc50f7ae6aa2a27d6988b72bff6 Mon Sep 17 00:00:00 2001 From: Aaron Campbell Date: Tue, 19 Sep 2017 15:01:07 +0000 Subject: [PATCH] Database: Hardening for `wpdb::prepare()` Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored. Merges [41470] to 4.5 branch. Built from https://develop.svn.wordpress.org/branches/4.5@41474 git-svn-id: http://core.svn.wordpress.org/branches/4.5@41307 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/wp-db.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php index 066e851fa3..43ff528c7f 100644 --- a/wp-includes/wp-db.php +++ b/wp-includes/wp-db.php @@ -1254,9 +1254,18 @@ class wpdb { $args = func_get_args(); array_shift( $args ); + // If args were passed as an array (as in vsprintf), move them up - if ( isset( $args[0] ) && is_array($args[0]) ) + if ( is_array( $args[0] ) && count( $args ) == 1 ) { $args = $args[0]; + } + + foreach ( $args as $arg ) { + if ( ! is_scalar( $arg ) ) { + _doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '4.5.10' ); + } + } + $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting $query = preg_replace( '|(?