Users: Validate WP_User_Query's fields argument.

Improve validation of `WP_User_Query`'s `fields` argument when passed as an array to ensure it only accepts permitted values. This prevents the invalid values being included in the generated database query.

Expand unit tests to include passing invalid values as part of an array, the lower case value `id`. Correct earlier unit tests to limit database query to one result.

Follow up to [53255].

Props felipeelia.
Fixes #53177.



git-svn-id: https://develop.svn.wordpress.org/trunk@53327 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Peter Wilson
2022-05-02 00:11:48 +00:00
parent 36f34cf58d
commit 63f3914e51
2 changed files with 49 additions and 17 deletions

View File

@@ -285,7 +285,11 @@ class WP_User_Query {
);
if ( is_array( $qv['fields'] ) ) {
$qv['fields'] = array_unique( $qv['fields'] );
$qv['fields'] = array_intersect( array_unique( $qv['fields'] ), $allowed_fields );
if ( empty( $qv['fields'] ) ) {
$qv['fields'] = array( 'ID' );
}
$this->query_fields = array();
foreach ( $qv['fields'] as $field ) {
@@ -293,8 +297,10 @@ class WP_User_Query {
$this->query_fields[] = "$wpdb->users.$field";
}
$this->query_fields = implode( ',', $this->query_fields );
} elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) {
} elseif ( 'all' === $qv['fields'] ) {
$this->query_fields = "$wpdb->users.*";
} elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) {
$this->query_fields = "$wpdb->users.ID";
} else {
$field = 'ID' === $qv['fields'] ? 'ID' : sanitize_key( $qv['fields'] );
$this->query_fields = "$wpdb->users.$field";

View File

@@ -1982,8 +1982,8 @@ class Tests_User_Query extends WP_UnitTestCase {
public function test_returning_fields( $field, $expected_values ) {
$q = new WP_User_Query(
array(
'fields' => $field,
'include ' => array( self::$admin_ids[0] ),
'fields' => $field,
'include' => array( '1' ),
)
);
$results = $q->get_results();
@@ -2007,68 +2007,94 @@ class Tests_User_Query extends WP_UnitTestCase {
public function data_returning_fields() {
return array(
'all' => array(
'all' => array(
'field' => 'all',
'expected' => array(
'ID' => '1',
'user_login' => 'admin',
'user_nicename' => 'admin',
'user_email' => 'admin@example.org',
'user_url' => 'http://example.org',
'user_email' => WP_TESTS_EMAIL,
'user_url' => wp_guess_url(),
'user_activation_key' => '',
'user_status' => '0',
'display_name' => 'admin',
),
),
'all_with_meta' => array(
'all_with_meta' => array(
'field' => 'all_with_meta',
'expected' => array(
'ID' => '1',
'user_login' => 'admin',
'user_nicename' => 'admin',
'user_email' => 'admin@example.org',
'user_url' => 'http://example.org',
'user_email' => WP_TESTS_EMAIL,
'user_url' => wp_guess_url(),
'user_activation_key' => '',
'user_status' => '0',
'display_name' => 'admin',
),
),
'ID' => array(
'ID' => array(
'field' => 'ID',
'expected' => array(
'ID' => '1',
),
),
'display_name' => array(
'id' => array(
'field' => 'id',
'expected' => array(
'ID' => '1',
),
),
'display_name' => array(
'field' => 'display_name',
'expected' => array(
'display_name' => 'admin',
),
),
'user_login' => array(
'user_login' => array(
'field' => 'user_login',
'expected' => array(
'user_login' => 'admin',
),
),
'user_nicename' => array(
'user_nicename' => array(
'field' => 'user_nicename',
'expected' => array(
'user_nicename' => 'admin',
),
),
'user_email' => array(
'user_email' => array(
'field' => 'user_email',
'expected' => array(
'user_email' => 'admin@example.org',
'user_email' => WP_TESTS_EMAIL,
),
),
'invalid_field' => array(
'invalid_field' => array(
'field' => 'invalid_field',
'expected' => array(
'0' => '1',
),
),
'valid_array' => array(
'field' => array( 'ID', 'display_name' ),
'expected' => array(
'ID' => '1',
'display_name' => 'admin',
),
),
'semivalid_array' => array(
'field' => array( 'ID', 'display_name', 'invalid_field' ),
'expected' => array(
'ID' => '1',
'display_name' => 'admin',
),
),
'invalid_array' => array(
'field' => array( 'invalid_field' ),
'expected' => array(
'ID' => '1',
),
),
);
}