Ticket #4762 (reopened enhancement)

Opened 11 months ago

Last modified 4 months ago

new function: absint()

Reported by: markjaquith Assigned to: markjaquith
Priority: normal Milestone: 2.6
Component: Security Version: 2.3
Severity: normal Keywords: int security needs-patch
Cc: ruckus

Description

There were a few bugs whereby things were being cast to ints and providing a negative int would mess up a query (for instance, with SQL LIMITs). We accept negative ints for post IDs (temporarily), but in all other places that Matt or I could think of, we use positive integers. 

function absint($string) {
	return abs(intval($string));
}

We'd then convert all instances of intval() or (int) casting to use absint() (minus post IDs).

Objections? Thoughts?

Attachments

4762.diff (0.5 kB) - added by ruckus on 01/29/08 19:16:41.
absint doesn't exist yet

Change History

08/16/07 19:58:46 changed by markjaquith

  • keywords set to int security.
  • owner changed from anonymous to markjaquith.
  • status changed from new to assigned.
  • component changed from Administration to Security.

08/17/07 11:09:22 changed by matt

+1 megapatch.

10/10/07 22:11:18 changed by markjaquith

(In [6222]) Introducing absint() for casting to an absolute integer. see #4762

01/02/08 09:36:48 changed by DD32

  • status changed from assigned to closed.
  • type changed from task to enhancement.
  • resolution set to fixed.

(follow-up: ↓ 6 ) 01/02/08 17:54:05 changed by lloydbudd

  • status changed from closed to reopened.
  • resolution deleted.

Re-opening for markjaquith to close. He might be planning on using that function before closing this ticket.

(in reply to: ↑ 5 ) 01/02/08 22:13:12 changed by DD32

Replying to lloydbudd:

Re-opening for markjaquith to close. He might be planning on using that function before closing this ticket.

Apologies for stepping on anyones toes.

absint() has been put into use in several places (comment/post/taxonomy/functions .php)

01/29/08 18:48:38 changed by westi

(In [6682]) Switch from abs(intval()) to absint(). See #4762.

01/29/08 19:11:45 changed by rubys

Changeset 6682 breaks AtomPub?:

http://intertwingly.net/stories/2007/11/ape/report.html#dia-1

01/29/08 19:16:41 changed by ruckus

  • attachment 4762.diff added.

absint doesn't exist yet

01/29/08 19:18:17 changed by ruckus

The absint() function doesn't exist this early, so need to use abs(intval()).

While there, made both sides of the comparison to use abs(intval()) for identical treatment of the non-integer values (e.g. 8M or 32M).

01/29/08 19:19:10 changed by ruckus

Err, "this early" == in wp-settings.php

01/29/08 19:29:21 changed by ruckus

  • cc set to ruckus.

(follow-up: ↓ 13 ) 01/29/08 20:00:18 changed by ryan

(In [6684]) absint is not defined yet. see #4762

(in reply to: ↑ 12 ) 01/29/08 21:16:33 changed by westi

Replying to ryan:

(In [6684]) absint is not defined yet. see #4762

/me slaps wrist... that what I get for doing the change when I'm tired :-(

03/15/08 19:49:32 changed by westi

  • keywords changed from int security to int security needs-patch.

The only place we don't use this now where we have abs(intval()) instead is in wp-settings.php where it is too early and not defined.

There are a number of places where we only use intval() though but these need to be checked carefully so moving to 2.6 for the remaining changes and marking as needs-patch

03/19/08 15:31:32 changed by ffemtcj

  • milestone changed from 2.5 to 2.6.