From 4138275df95a3ecb7ee400b62c8c875e9a0c0bb4 Mon Sep 17 00:00:00 2001
From: Boone Gorges <boonebgorges@git.wordpress.org>
Date: Sat, 14 Feb 2015 02:08:46 +0000
Subject: [PATCH] More careful type conversion in `WP_Query` `is_*()` methods.

`is_array( 1, '1-foo' )` returns true, which means that `is_page( 1 )`
was returning true when on a page with the slug '1-foo'. We avoid this odd
behavior by casting the queried object ID to a string before testing against
the value passed to the conditional function.

This also helps to avoid a problem where an arbitrary value for `$page` would
cause `is_page( $page )` to return true if the query had been manipulated by
a plugin to show that the current page's ID is 0.

Props boonebgorges, r-a-y, nunomorgadinho, wonderboymusic, clifgriffin.
Fixes #24674.

git-svn-id: https://develop.svn.wordpress.org/trunk@31458 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/query.php                  |  12 +-
 tests/phpunit/tests/query/conditionals.php | 150 +++++++++++++++++++++
 2 files changed, 156 insertions(+), 6 deletions(-)

diff --git a/src/wp-includes/query.php b/src/wp-includes/query.php
index 27d8c26fa4..f076533231 100644
--- a/src/wp-includes/query.php
+++ b/src/wp-includes/query.php
@@ -4077,7 +4077,7 @@ class WP_Query {
 
 		$post_obj = $this->get_queried_object();
 
-		if ( in_array( $post_obj->ID, $attachment ) ) {
+		if ( in_array( (string) $post_obj->ID, $attachment ) ) {
 			return true;
 		} elseif ( in_array( $post_obj->post_title, $attachment ) ) {
 			return true;
@@ -4109,7 +4109,7 @@ class WP_Query {
 
 		$author = (array) $author;
 
-		if ( in_array( $author_obj->ID, $author ) )
+		if ( in_array( (string) $author_obj->ID, $author ) )
 			return true;
 		elseif ( in_array( $author_obj->nickname, $author ) )
 			return true;
@@ -4141,7 +4141,7 @@ class WP_Query {
 
 		$category = (array) $category;
 
-		if ( in_array( $cat_obj->term_id, $category ) )
+		if ( in_array( (string) $cat_obj->term_id, $category ) )
 			return true;
 		elseif ( in_array( $cat_obj->name, $category ) )
 			return true;
@@ -4173,7 +4173,7 @@ class WP_Query {
 
 		$tag = (array) $tag;
 
-		if ( in_array( $tag_obj->term_id, $tag ) )
+		if ( in_array( (string) $tag_obj->term_id, $tag ) )
 			return true;
 		elseif ( in_array( $tag_obj->name, $tag ) )
 			return true;
@@ -4370,7 +4370,7 @@ class WP_Query {
 
 		$page = (array) $page;
 
-		if ( in_array( $page_obj->ID, $page ) ) {
+		if ( in_array( (string) $page_obj->ID, $page ) ) {
 			return true;
 		} elseif ( in_array( $page_obj->post_title, $page ) ) {
 			return true;
@@ -4463,7 +4463,7 @@ class WP_Query {
 
 		$post = (array) $post;
 
-		if ( in_array( $post_obj->ID, $post ) ) {
+		if ( in_array( (string) $post_obj->ID, $post ) ) {
 			return true;
 		} elseif ( in_array( $post_obj->post_title, $post ) ) {
 			return true;
diff --git a/tests/phpunit/tests/query/conditionals.php b/tests/phpunit/tests/query/conditionals.php
index 70d5a7df17..8d4b600ef5 100644
--- a/tests/phpunit/tests/query/conditionals.php
+++ b/tests/phpunit/tests/query/conditionals.php
@@ -742,6 +742,27 @@ class Tests_Query_Conditionals extends WP_UnitTestCase {
 		$this->assertFalse( is_single( 'foo' ) );
 	}
 
+	/**
+	 * @ticket 24674
+	 */
+	public function test_is_single_with_slug_that_begins_with_a_number_that_clashes_with_another_post_id() {
+		$p1 = $this->factory->post->create();
+
+		$p2_name = $p1 . '-post';
+		$p2 = $this->factory->post->create( array(
+			'slug' => $p2_name,
+		) );
+
+		$this->go_to( "/?p=$p1" );
+
+		$q = $GLOBALS['wp_query'];
+
+		$this->assertTrue( $q->is_single() );
+		$this->assertTrue( $q->is_single( $p1 ) );
+		$this->assertFalse( $q->is_single( $p2_name ) );
+		$this->assertFalse( $q->is_single( $p2 ) );
+	}
+
 	function test_is_page() {
 		$post_id = $this->factory->post->create( array( 'post_type' => 'page' ) );
 		$this->go_to( "/?page_id=$post_id" );
@@ -809,4 +830,133 @@ class Tests_Query_Conditionals extends WP_UnitTestCase {
 		$this->assertTrue( is_attachment( $post->post_title ) );
 		$this->assertTrue( is_attachment( $post->post_name ) );
 	}
+
+	/**
+	 * @ticket 24674
+	 */
+	public function test_is_attachment_with_slug_that_begins_with_a_number_that_clashes_with_a_page_ID() {
+		$p1 = $this->factory->post->create( array( 'post_type' => 'attachment' ) );
+
+		$p2_name = $p1 . '-attachment';
+		$p2 = $this->factory->post->create( array(
+			'post_type' => 'attachment',
+			'post_name' => $p2_name,
+		) );
+
+		$this->go_to( "/?attachment_id=$p1" );
+
+		$q = $GLOBALS['wp_query'];
+
+		$this->assertTrue( $q->is_attachment() );
+		$this->assertTrue( $q->is_attachment( $p1 ) );
+		$this->assertFalse( $q->is_attachment( $p2_name ) );
+		$this->assertFalse( $q->is_attachment( $p2 ) );
+	}
+
+	/**
+	 * @ticket 24674
+	 */
+	public function test_is_author_with_nicename_that_begins_with_a_number_that_clashes_with_another_author_id() {
+		$u1 = $this->factory->user->create();
+
+		$u2_name = $u1 . '_user';
+		$u2 = $this->factory->user->create( array(
+			'user_nicename' => $u2_name,
+		) );
+
+		$this->go_to( "/?author=$u1" );
+
+		$q = $GLOBALS['wp_query'];
+
+		$this->assertTrue( $q->is_author() );
+		$this->assertTrue( $q->is_author( $u1 ) );
+		$this->assertFalse( $q->is_author( $u2_name ) );
+		$this->assertFalse( $q->is_author( $u2 ) );
+	}
+
+	/**
+	 * @ticket 24674
+	 */
+	public function test_is_category_with_slug_that_begins_with_a_number_that_clashes_with_another_category_id() {
+		$c1 = $this->factory->category->create();
+
+		$c2_name = $c1 . '-category';
+		$c2 = $this->factory->category->create( array(
+			'slug' => $c2_name,
+		) );
+
+		$this->go_to( "/?cat=$c1" );
+
+		$q = $GLOBALS['wp_query'];
+
+		$this->assertTrue( $q->is_category() );
+		$this->assertTrue( $q->is_category( $c1 ) );
+		$this->assertFalse( $q->is_category( $c2_name ) );
+		$this->assertFalse( $q->is_category( $c2 ) );
+	}
+
+	/**
+	 * @ticket 24674
+	 */
+	public function test_is_tag_with_slug_that_begins_with_a_number_that_clashes_with_another_tag_id() {
+		$t1 = $this->factory->tag->create();
+
+		$t2_name = $t1 . '-tag';
+		$t2 = $this->factory->tag->create( array(
+			'slug' => $t2_name,
+		) );
+
+		$this->go_to( "/?tag_id=$t1" );
+
+		$q = $GLOBALS['wp_query'];
+
+		$this->assertTrue( $q->is_tag() );
+		$this->assertTrue( $q->is_tag( $t1 ) );
+		$this->assertFalse( $q->is_tag( $t2_name ) );
+		$this->assertFalse( $q->is_tag( $t2 ) );
+	}
+
+	/**
+	 * @ticket 24674
+	 */
+	public function test_is_page_with_page_id_zero_and_random_page_slug() {
+		$post_id = $this->factory->post->create( array( 'post_type' => 'page' ) );
+		$this->go_to( "/?page_id=$post_id" );
+
+		// override post ID to 0 temporarily for testing
+		$_id = $GLOBALS['wp_query']->post->ID;
+		$GLOBALS['wp_query']->post->ID = 0;
+
+		$post = get_queried_object();
+		$q = $GLOBALS['wp_query'];
+
+		$this->assertTrue( $q->is_page() );
+		$this->assertFalse( $q->is_page( 'sample-page' ) );
+		$this->assertFalse( $q->is_page( 'random-page-slug' ) );
+
+		// revert $wp_query global change
+		$GLOBALS['wp_query']->post->ID = $_id;
+	}
+
+	/**
+	 * @ticket 24674
+	 */
+	public function test_is_page_with_page_slug_that_begins_with_a_number_that_clashes_with_a_page_ID() {
+		$p1 = $this->factory->post->create( array( 'post_type' => 'page' ) );
+
+		$p2_name = $p1 . '-page';
+		$p2 = $this->factory->post->create( array(
+			'post_type' => 'page',
+			'post_name' => $p2_name,
+		) );
+
+		$this->go_to( "/?page_id=$p1" );
+
+		$q = $GLOBALS['wp_query'];
+
+		$this->assertTrue( $q->is_page() );
+		$this->assertTrue( $q->is_page( $p1 ) );
+		$this->assertFalse( $q->is_page( $p2_name ) );
+		$this->assertFalse( $q->is_page( $p2 ) );
+	}
 }