From 3ee40d66520855fa3f46453e440b7286cb5e2a07 Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremyfelt@git.wordpress.org>
Date: Sun, 11 Oct 2015 23:29:55 +0000
Subject: [PATCH] MS: Reject truthy, non-numeric network ids in
 `_network_option()`.

A valid `$network_id` or `null`/`false` is expected as the first parameter for `_network_option()`. If something other than that is passed, we immediately return `false` rather than attempting to guess what network was intended.

See #28290.


git-svn-id: https://develop.svn.wordpress.org/trunk@35025 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/option.php                   | 16 +++++++
 tests/phpunit/tests/option/networkOption.php | 44 ++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/src/wp-includes/option.php b/src/wp-includes/option.php
index 5d3e6fe8ef..e0e69aa519 100644
--- a/src/wp-includes/option.php
+++ b/src/wp-includes/option.php
@@ -1069,6 +1069,10 @@ function update_site_option( $option, $value ) {
 function get_network_option( $network_id, $option, $default = false ) {
 	global $wpdb, $current_site;
 
+	if ( $network_id && ! is_numeric( $network_id ) ) {
+		return false;
+	}
+
 	$network_id = (int) $network_id;
 
 	// Fallback to the current network if a network ID is not specified.
@@ -1182,6 +1186,10 @@ function get_network_option( $network_id, $option, $default = false ) {
 function add_network_option( $network_id, $option, $value ) {
 	global $wpdb, $current_site;
 
+	if ( $network_id && ! is_numeric( $network_id ) ) {
+		return false;
+	}
+
 	$network_id = (int) $network_id;
 
 	// Fallback to the current network if a network ID is not specified.
@@ -1287,6 +1295,10 @@ function add_network_option( $network_id, $option, $value ) {
 function delete_network_option( $network_id, $option ) {
 	global $wpdb, $current_site;
 
+	if ( $network_id && ! is_numeric( $network_id ) ) {
+		return false;
+	}
+
 	$network_id = (int) $network_id;
 
 	// Fallback to the current network if a network ID is not specified.
@@ -1366,6 +1378,10 @@ function delete_network_option( $network_id, $option ) {
 function update_network_option( $network_id, $option, $value ) {
 	global $wpdb, $current_site;
 
+	if ( $network_id && ! is_numeric( $network_id ) ) {
+		return false;
+	}
+
 	$network_id = (int) $network_id;
 
 	// Fallback to the current network if a network ID is not specified.
diff --git a/tests/phpunit/tests/option/networkOption.php b/tests/phpunit/tests/option/networkOption.php
index c8133cbab4..8512d1add9 100644
--- a/tests/phpunit/tests/option/networkOption.php
+++ b/tests/phpunit/tests/option/networkOption.php
@@ -38,6 +38,50 @@ class Tests_Option_NetworkOption extends WP_UnitTestCase {
 		delete_site_option( $option );
 		$this->assertEquals( $value, get_network_option( $id, $option, false ) );
 	}
+
+	/**
+	 * @dataProvider data_network_id_parameter
+	 *
+	 * @param $network_id
+	 * @param $expected_response
+	 */
+	function test_add_network_option_network_id_parameter( $network_id, $expected_response ) {
+		$option = rand_str();
+		$value = rand_str();
+
+		$this->assertEquals( $expected_response, add_network_option( $network_id, $option, $value ) );
+	}
+
+	/**
+	 * @dataProvider data_network_id_parameter
+	 *
+	 * @param $network_id
+	 * @param $expected_response
+	 */
+	function test_get_network_option_network_id_parameter( $network_id, $expected_response ) {
+		$option = rand_str();
+
+		$this->assertEquals( $expected_response, get_network_option( $network_id, $option, true ) );
+	}
+
+	function data_network_id_parameter() {
+		return array(
+			// Numeric values should always be accepted.
+			array( 1,   true ),
+			array( '1', true ),
+			array( 2,   true ),
+
+			// Null, false, and zero will be treated as the current network.
+			array( null,  true ),
+			array( false, true ),
+			array( 0,     true ),
+			array( '0',   true ),
+
+			// Other truthy or string values should be rejected.
+			array( true,     false ),
+			array( 'string', false ),
+		);
+	}
 }
 
 endif;
\ No newline at end of file