From 4fdfdb6078c20d7d6eb7ba477af4dd0bd3249098 Mon Sep 17 00:00:00 2001 From: Boone Gorges Date: Sat, 12 Sep 2015 21:05:14 +0000 Subject: [PATCH] Use stricter sanitization for meta query clause keys. By forcing all clause keys to be strings, we make it possible to use strict comparison when validating values of 'orderby' as passed to `WP_Query`. This eliminates situations where the presence of numeric clause keys could result in an improperly validated 'orderby' value. Props nikolov.tmw. Fixes #32937. git-svn-id: https://develop.svn.wordpress.org/trunk@34090 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-meta-query.php | 4 ++-- src/wp-includes/query.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/class-wp-meta-query.php b/src/wp-includes/class-wp-meta-query.php index fbe49f3814..e1fd812e56 100644 --- a/src/wp-includes/class-wp-meta-query.php +++ b/src/wp-includes/class-wp-meta-query.php @@ -548,8 +548,8 @@ class WP_Meta_Query { $meta_type = $this->get_cast_for_type( $_meta_type ); $clause['cast'] = $meta_type; - // Fallback for clause keys is the table alias. - if ( ! $clause_key ) { + // Fallback for clause keys is the table alias. Key must be a string. + if ( is_int( $clause_key ) || ! $clause_key ) { $clause_key = $clause['alias']; } diff --git a/src/wp-includes/query.php b/src/wp-includes/query.php index 5b36393ac7..5648166e1b 100644 --- a/src/wp-includes/query.php +++ b/src/wp-includes/query.php @@ -2280,7 +2280,7 @@ class WP_Query { $allowed_keys = array_merge( $allowed_keys, array_keys( $meta_clauses ) ); } - if ( ! in_array( $orderby, $allowed_keys ) ) { + if ( ! in_array( $orderby, $allowed_keys, true ) ) { return false; }