From 26c92e5e03bc01fecf7ff2056e3b06bd00d896a4 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Wed, 1 Feb 2023 22:15:04 +0000 Subject: [PATCH] Media: Ensure media IDs are type `int` in bulk editing. Cast all array values to integers using `array_map` so functions like `wp_delete_attachment` receiving the expected variable type. Props eherman24, joedolson. Fixes #56170. git-svn-id: https://develop.svn.wordpress.org/trunk@55183 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/upload.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/wp-admin/upload.php b/src/wp-admin/upload.php index 87078001c4..1790ab281e 100644 --- a/src/wp-admin/upload.php +++ b/src/wp-admin/upload.php @@ -219,6 +219,7 @@ if ( $doaction ) { } elseif ( isset( $_REQUEST['ids'] ) ) { $post_ids = explode( ',', $_REQUEST['ids'] ); } + $post_ids = array_map( 'intval', (array) $post_ids ); $location = 'upload.php'; $referer = wp_get_referer(); @@ -241,7 +242,7 @@ if ( $doaction ) { if ( empty( $post_ids ) ) { break; } - foreach ( (array) $post_ids as $post_id ) { + foreach ( $post_ids as $post_id ) { if ( ! current_user_can( 'delete_post', $post_id ) ) { wp_die( __( 'Sorry, you are not allowed to move this item to the Trash.' ) ); } @@ -262,7 +263,7 @@ if ( $doaction ) { if ( empty( $post_ids ) ) { break; } - foreach ( (array) $post_ids as $post_id ) { + foreach ( $post_ids as $post_id ) { if ( ! current_user_can( 'delete_post', $post_id ) ) { wp_die( __( 'Sorry, you are not allowed to restore this item from the Trash.' ) ); } @@ -277,7 +278,7 @@ if ( $doaction ) { if ( empty( $post_ids ) ) { break; } - foreach ( (array) $post_ids as $post_id_del ) { + foreach ( $post_ids as $post_id_del ) { if ( ! current_user_can( 'delete_post', $post_id_del ) ) { wp_die( __( 'Sorry, you are not allowed to delete this item.' ) ); }