From c0a0d4ba509f3ad3d6d150cf6f94991e5ea4eb4c Mon Sep 17 00:00:00 2001 From: Boone Gorges Date: Sat, 12 Sep 2015 21:06:24 +0000 Subject: [PATCH] Use stricter sanitization for meta query clause keys. By forcing all clause keys to be strings, we make it possible to use strict comparison when validating values of 'orderby' as passed to `WP_Query`. This eliminates situations where the presence of numeric clause keys could result in an improperly validated 'orderby' value. Props nikolov.tmw. Fixes #32937. Built from https://develop.svn.wordpress.org/trunk@34090 git-svn-id: http://core.svn.wordpress.org/trunk@34058 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-meta-query.php | 4 ++-- wp-includes/query.php | 2 +- wp-includes/version.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/wp-includes/class-wp-meta-query.php b/wp-includes/class-wp-meta-query.php index fbe49f3814..e1fd812e56 100644 --- a/wp-includes/class-wp-meta-query.php +++ b/wp-includes/class-wp-meta-query.php @@ -548,8 +548,8 @@ class WP_Meta_Query { $meta_type = $this->get_cast_for_type( $_meta_type ); $clause['cast'] = $meta_type; - // Fallback for clause keys is the table alias. - if ( ! $clause_key ) { + // Fallback for clause keys is the table alias. Key must be a string. + if ( is_int( $clause_key ) || ! $clause_key ) { $clause_key = $clause['alias']; } diff --git a/wp-includes/query.php b/wp-includes/query.php index 5b36393ac7..5648166e1b 100644 --- a/wp-includes/query.php +++ b/wp-includes/query.php @@ -2280,7 +2280,7 @@ class WP_Query { $allowed_keys = array_merge( $allowed_keys, array_keys( $meta_clauses ) ); } - if ( ! in_array( $orderby, $allowed_keys ) ) { + if ( ! in_array( $orderby, $allowed_keys, true ) ) { return false; } diff --git a/wp-includes/version.php b/wp-includes/version.php index 0e069baf72..5632d62f23 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.4-alpha-34089'; +$wp_version = '4.4-alpha-34090'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.