Query: Guard string vars against array injection

Author: sanketio

src/wp-includes/class-wp-query.php

@@ -826,18 +826,21 @@ public function parse_query( $query = '' ) {
 			$query_vars['p'] = (int) $query_vars['p'];
 		}
 
-		$query_vars['page_id']  = is_scalar( $query_vars['page_id'] ) ? absint( $query_vars['page_id'] ) : 0;
-		$query_vars['year']     = is_scalar( $query_vars['year'] ) ? absint( $query_vars['year'] ) : 0;
-		$query_vars['monthnum'] = is_scalar( $query_vars['monthnum'] ) ? absint( $query_vars['monthnum'] ) : 0;
-		$query_vars['day']      = is_scalar( $query_vars['day'] ) ? absint( $query_vars['day'] ) : 0;
-		$query_vars['w']        = is_scalar( $query_vars['w'] ) ? absint( $query_vars['w'] ) : 0;
-		$query_vars['m']        = is_scalar( $query_vars['m'] ) ? preg_replace( '|[^0-9]|', '', $query_vars['m'] ) : '';
-		$query_vars['paged']    = is_scalar( $query_vars['paged'] ) ? absint( $query_vars['paged'] ) : 0;
-		$query_vars['cat']      = preg_replace( '|[^0-9,-]|', '', $query_vars['cat'] ); // Array or comma-separated list of positive or negative integers.
-		$query_vars['author']   = is_scalar( $query_vars['author'] ) ? preg_replace( '|[^0-9,-]|', '', $query_vars['author'] ) : ''; // Comma-separated list of positive or negative integers.
-		$query_vars['pagename'] = is_scalar( $query_vars['pagename'] ) ? trim( $query_vars['pagename'] ) : '';
-		$query_vars['name']     = is_scalar( $query_vars['name'] ) ? trim( $query_vars['name'] ) : '';
-		$query_vars['title']    = is_scalar( $query_vars['title'] ) ? trim( $query_vars['title'] ) : '';
+		$query_vars['page_id']     = is_scalar( $query_vars['page_id'] ) ? absint( $query_vars['page_id'] ) : 0;
+		$query_vars['year']        = is_scalar( $query_vars['year'] ) ? absint( $query_vars['year'] ) : 0;
+		$query_vars['monthnum']    = is_scalar( $query_vars['monthnum'] ) ? absint( $query_vars['monthnum'] ) : 0;
+		$query_vars['day']         = is_scalar( $query_vars['day'] ) ? absint( $query_vars['day'] ) : 0;
+		$query_vars['w']           = is_scalar( $query_vars['w'] ) ? absint( $query_vars['w'] ) : 0;
+		$query_vars['m']           = is_scalar( $query_vars['m'] ) ? preg_replace( '|[^0-9]|', '', $query_vars['m'] ) : '';
+		$query_vars['paged']       = is_scalar( $query_vars['paged'] ) ? absint( $query_vars['paged'] ) : 0;
+		$query_vars['cat']         = preg_replace( '|[^0-9,-]|', '', $query_vars['cat'] ); // Array or comma-separated list of positive or negative integers.
+		$query_vars['author']      = is_scalar( $query_vars['author'] ) ? preg_replace( '|[^0-9,-]|', '', $query_vars['author'] ) : ''; // Comma-separated list of positive or negative integers.
+		$query_vars['pagename']    = is_scalar( $query_vars['pagename'] ) ? trim( $query_vars['pagename'] ) : '';
+		$query_vars['name']        = is_scalar( $query_vars['name'] ) ? trim( $query_vars['name'] ) : '';
+		$query_vars['title']       = is_scalar( $query_vars['title'] ) ? trim( $query_vars['title'] ) : '';
+		$query_vars['author_name'] = is_string( $query_vars['author_name'] ) ? $query_vars['author_name'] : '';
+		$query_vars['feed']        = is_string( $query_vars['feed'] ) ? $query_vars['feed'] : '';
+		$query_vars['attachment']  = is_string( $query_vars['attachment'] ) ? $query_vars['attachment'] : '';
 
 		if ( is_scalar( $query_vars['hour'] ) && '' !== $query_vars['hour'] ) {
 			$query_vars['hour'] = absint( $query_vars['hour'] );

tests/phpunit/tests/query/parseQuery.php

@@ -264,4 +264,52 @@ public function test_parse_query_hierarchical_taxonomy_query_var_array() {
 
 		$this->assertIsArray( $q->posts );
 	}
+
+	/**
+	 * Data provider of string-only query vars and a representative valid value.
+	 *
+	 * @ticket 64507
+	 *
+	 * @return array[]
+	 */
+	public function data_string_query_vars() {
+		return array(
+			'author_name' => array( 'author_name', 'johndoe' ),
+			'feed'        => array( 'feed', 'rss2' ),
+			'attachment'  => array( 'attachment', 'my-image' ),
+		);
+	}
+
+	/**
+	 * Ensure that string query vars pass through parse_query() unchanged.
+	 *
+	 * @ticket 64507
+	 * @dataProvider data_string_query_vars
+	 *
+	 * @param string $query_var Query var name.
+	 * @param string $value     Valid string value.
+	 */
+	public function test_parse_query_string_var_string_value( $query_var, $value ) {
+		$q = new WP_Query();
+		$q->parse_query( array( $query_var => $value ) );
+
+		$this->assertSame( $value, $q->query_vars[ $query_var ] );
+	}
+
+	/**
+	 * Ensure that array values for string-only query vars are rejected (returns ''),
+	 * preventing a TypeError fatal from str_contains() / str_replace() / wp_basename()
+	 * on PHP 8+.
+	 *
+	 * @ticket 64507
+	 * @dataProvider data_string_query_vars
+	 *
+	 * @param string $query_var Query var name.
+	 */
+	public function test_parse_query_string_var_array_value( $query_var ) {
+		$q = new WP_Query();
+		$q->parse_query( array( $query_var => array( 'unexpected', 'array' ) ) );
+
+		$this->assertSame( '', $q->query_vars[ $query_var ] );
+	}
 }