From e5e4f0d977f6107cba64ce756a2c57c50055528c Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Sun, 28 Jun 2020 21:02:18 +0000 Subject: [PATCH] Bootstrap/Load: Make sure `add_magic_quotes()` does not inappropriately recast non-string data types to string. Props donmhico, jrf, Veraxus, Rarst. Fixes #48605. git-svn-id: https://develop.svn.wordpress.org/trunk@48205 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/functions.php | 4 ++ .../tests/functions/addMagicQuotes.php | 64 +++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 tests/phpunit/tests/functions/addMagicQuotes.php diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index 3056eec29d..4fea38c7fa 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -1219,6 +1219,7 @@ function wp_removable_query_args() { * Walks the array while sanitizing the contents. * * @since 0.71 + * @since 5.5.0 Non-string values are left untouched. * * @param array $array Array to walk while sanitizing contents. * @return array Sanitized $array. @@ -1227,10 +1228,13 @@ function add_magic_quotes( $array ) { foreach ( (array) $array as $k => $v ) { if ( is_array( $v ) ) { $array[ $k ] = add_magic_quotes( $v ); + } elseif ( ! is_string( $v ) ) { + continue; } else { $array[ $k ] = addslashes( $v ); } } + return $array; } diff --git a/tests/phpunit/tests/functions/addMagicQuotes.php b/tests/phpunit/tests/functions/addMagicQuotes.php new file mode 100644 index 0000000000..81e1f010cb --- /dev/null +++ b/tests/phpunit/tests/functions/addMagicQuotes.php @@ -0,0 +1,64 @@ +assertSame( $expected, add_magic_quotes( $test_array ) ); + } + + /** + * Data provider for test_add_magic_quotes. + * + * @return array[] Test parameters { + * @type array $test_array Test value. + * @type array $expected Expected return value. + * } + */ + public function data_add_magic_quotes() { + return array( + array( + array( + 'sample string', + 52, + true, + false, + null, + "This is a 'string'", + array( + 1, + false, + true, + 'This is "another" string', + ), + ), + array( + 'sample string', + 52, + true, + false, + null, + "This is a \'string\'", + array( + 1, + false, + true, + 'This is \"another\" string', + ), + ), + ), + ); + } + +}