From 63f3914e512c8a6b396e93f30f2772584b510b56 Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Mon, 2 May 2022 00:11:48 +0000 Subject: [PATCH] Users: Validate `WP_User_Query`'s `fields` argument. Improve validation of `WP_User_Query`'s `fields` argument when passed as an array to ensure it only accepts permitted values. This prevents the invalid values being included in the generated database query. Expand unit tests to include passing invalid values as part of an array, the lower case value `id`. Correct earlier unit tests to limit database query to one result. Follow up to [53255]. Props felipeelia. Fixes #53177. git-svn-id: https://develop.svn.wordpress.org/trunk@53327 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-user-query.php | 10 ++++- tests/phpunit/tests/user/query.php | 56 ++++++++++++++++++------- 2 files changed, 49 insertions(+), 17 deletions(-) diff --git a/src/wp-includes/class-wp-user-query.php b/src/wp-includes/class-wp-user-query.php index 3d6b28bcc3..050b2822f6 100644 --- a/src/wp-includes/class-wp-user-query.php +++ b/src/wp-includes/class-wp-user-query.php @@ -285,7 +285,11 @@ class WP_User_Query { ); if ( is_array( $qv['fields'] ) ) { - $qv['fields'] = array_unique( $qv['fields'] ); + $qv['fields'] = array_intersect( array_unique( $qv['fields'] ), $allowed_fields ); + + if ( empty( $qv['fields'] ) ) { + $qv['fields'] = array( 'ID' ); + } $this->query_fields = array(); foreach ( $qv['fields'] as $field ) { @@ -293,8 +297,10 @@ class WP_User_Query { $this->query_fields[] = "$wpdb->users.$field"; } $this->query_fields = implode( ',', $this->query_fields ); - } elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) { + } elseif ( 'all' === $qv['fields'] ) { $this->query_fields = "$wpdb->users.*"; + } elseif ( ! in_array( $qv['fields'], $allowed_fields, true ) ) { + $this->query_fields = "$wpdb->users.ID"; } else { $field = 'ID' === $qv['fields'] ? 'ID' : sanitize_key( $qv['fields'] ); $this->query_fields = "$wpdb->users.$field"; diff --git a/tests/phpunit/tests/user/query.php b/tests/phpunit/tests/user/query.php index 4ee93ae167..eac4efd7a7 100644 --- a/tests/phpunit/tests/user/query.php +++ b/tests/phpunit/tests/user/query.php @@ -1982,8 +1982,8 @@ class Tests_User_Query extends WP_UnitTestCase { public function test_returning_fields( $field, $expected_values ) { $q = new WP_User_Query( array( - 'fields' => $field, - 'include ' => array( self::$admin_ids[0] ), + 'fields' => $field, + 'include' => array( '1' ), ) ); $results = $q->get_results(); @@ -2007,68 +2007,94 @@ class Tests_User_Query extends WP_UnitTestCase { public function data_returning_fields() { return array( - 'all' => array( + 'all' => array( 'field' => 'all', 'expected' => array( 'ID' => '1', 'user_login' => 'admin', 'user_nicename' => 'admin', - 'user_email' => 'admin@example.org', - 'user_url' => 'http://example.org', + 'user_email' => WP_TESTS_EMAIL, + 'user_url' => wp_guess_url(), 'user_activation_key' => '', 'user_status' => '0', 'display_name' => 'admin', ), ), - 'all_with_meta' => array( + 'all_with_meta' => array( 'field' => 'all_with_meta', 'expected' => array( 'ID' => '1', 'user_login' => 'admin', 'user_nicename' => 'admin', - 'user_email' => 'admin@example.org', - 'user_url' => 'http://example.org', + 'user_email' => WP_TESTS_EMAIL, + 'user_url' => wp_guess_url(), 'user_activation_key' => '', 'user_status' => '0', 'display_name' => 'admin', ), ), - 'ID' => array( + 'ID' => array( 'field' => 'ID', 'expected' => array( 'ID' => '1', ), ), - 'display_name' => array( + 'id' => array( + 'field' => 'id', + 'expected' => array( + 'ID' => '1', + ), + ), + 'display_name' => array( 'field' => 'display_name', 'expected' => array( 'display_name' => 'admin', ), ), - 'user_login' => array( + 'user_login' => array( 'field' => 'user_login', 'expected' => array( 'user_login' => 'admin', ), ), - 'user_nicename' => array( + 'user_nicename' => array( 'field' => 'user_nicename', 'expected' => array( 'user_nicename' => 'admin', ), ), - 'user_email' => array( + 'user_email' => array( 'field' => 'user_email', 'expected' => array( - 'user_email' => 'admin@example.org', + 'user_email' => WP_TESTS_EMAIL, ), ), - 'invalid_field' => array( + 'invalid_field' => array( 'field' => 'invalid_field', 'expected' => array( '0' => '1', ), ), + 'valid_array' => array( + 'field' => array( 'ID', 'display_name' ), + 'expected' => array( + 'ID' => '1', + 'display_name' => 'admin', + ), + ), + 'semivalid_array' => array( + 'field' => array( 'ID', 'display_name', 'invalid_field' ), + 'expected' => array( + 'ID' => '1', + 'display_name' => 'admin', + ), + ), + 'invalid_array' => array( + 'field' => array( 'invalid_field' ), + 'expected' => array( + 'ID' => '1', + ), + ), ); }