line check iteration on non-String options value #96
Comments
|
I tried to resolve the problem introducing a // Check option.
if ( $matches && $matches[1]) {
$opt_value = get_option( $matches[1] );
if ( is_scalar( $opt_value ) && self::_check_file_line(strval( $opt_value ), $num ) ) {
array_push( $results, 'get_option' );
}
}Stumbled across one really bad case. Imagine the following line of code: $o = get_option( 'endless recursion' );with the option value (string): This call does not cause any damage in the theme without an additional |
stklcode
added a commit
that referenced
this issue
Jan 8, 2021
Scalar option values do convert to string, however that no longer applies to arrays and never did for objects. We now do check for string values before the recursion to avoid warnings. Allowing other scalars would not fail, but there is no check matching numbers or boolean expressions.
This was referenced Jan 8, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Originally reported in the WP support forums: https://wordpress.org/support/topic/php-notice-breaks-scan/
antivirus/inc/class-antivirus-checkinternals.php
Lines 235 to 238 in fbc3614
We do scan for a get_option() call, get the option and execute the line check again on the value. The return value however can have any type, not only string. Implicit conversion works quite well for most primitives, but fails for objects and arrays.
I am unsure about the intention behind this routine.
So do we need to add some sanitization here? Allow only scalar types that convert to string? Stringify the value? Personally I would simply drop the options check.
The text was updated successfully, but these errors were encountered: