From 164103261fafe18bfdef423a2b37031d6b21baa4 Mon Sep 17 00:00:00 2001 From: Sukhendu Sekhar Guria Date: Mon, 27 Apr 2026 10:38:39 +0530 Subject: [PATCH 1/2] fix: prevent fatal error with malformed post type query vars --- src/wp-includes/class-wp-query.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/class-wp-query.php b/src/wp-includes/class-wp-query.php index cf07b07d977c3..9db966fb92d71 100644 --- a/src/wp-includes/class-wp-query.php +++ b/src/wp-includes/class-wp-query.php @@ -878,6 +878,10 @@ public function parse_query( $query = '' ) { $query_vars['attachment_id'] = is_scalar( $query_vars['attachment_id'] ) ? absint( $query_vars['attachment_id'] ) : 0; + if ( ! is_scalar( $query_vars['attachment'] ) ) { + $query_vars['attachment'] = ''; + } + if ( ( '' !== $query_vars['attachment'] ) || ! empty( $query_vars['attachment_id'] ) ) { $this->is_single = true; $this->is_attachment = true; @@ -2152,11 +2156,17 @@ public function get_posts() { if ( ! $ptype_obj->hierarchical ) { // Non-hierarchical post types can directly use 'name'. - $query_vars['name'] = $query_vars[ $ptype_obj->query_var ]; + if ( is_scalar( $query_vars[ $ptype_obj->query_var ] ) ) { + $query_vars['name'] = $query_vars[ $ptype_obj->query_var ]; + } else { + $query_vars['name'] = ''; + } } else { // Hierarchical post types will operate through 'pagename'. - $query_vars['pagename'] = $query_vars[ $ptype_obj->query_var ]; - $query_vars['name'] = ''; + if ( is_scalar( $query_vars[ $ptype_obj->query_var ] ) ) { + $query_vars['pagename'] = $query_vars[ $ptype_obj->query_var ]; + } + $query_vars['name'] = ''; } // Only one request for a slug is possible, this is why name & pagename are overwritten above. From 1eff3fb5748c5bf811d52f197511534eec76878f Mon Sep 17 00:00:00 2001 From: Sukhendu Sekhar Guria Date: Mon, 27 Apr 2026 11:35:33 +0530 Subject: [PATCH 2/2] Tests: Add tests for malformed post type query vars handling --- tests/phpunit/tests/query/parseQuery.php | 62 ++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/tests/phpunit/tests/query/parseQuery.php b/tests/phpunit/tests/query/parseQuery.php index 7830b6723dfa5..ba0288211ee10 100644 --- a/tests/phpunit/tests/query/parseQuery.php +++ b/tests/phpunit/tests/query/parseQuery.php @@ -234,6 +234,68 @@ public function test_parse_query_attachment_id_nonscalar() { $this->assertEmpty( $q->query_vars['attachment_id'] ); } + /** + * Ensure non-scalar 'attachment' value is rejected and attachment flags are not set. + * + * @ticket 65123 + */ + public function test_parse_query_attachment_nonscalar() { + $q = new WP_Query(); + $q->parse_query( + array( + 'attachment' => array( 'foo' => 'bar' ), + ) + ); + + $this->assertEmpty( $q->query_vars['attachment'] ); + $this->assertFalse( $q->is_attachment ); + $this->assertFalse( $q->is_single ); + } + + /** + * Ensure a string 'attachment' value sets is_attachment and is_single flags. + * + * @ticket 65123 + */ + public function test_parse_query_attachment_scalar() { + $q = new WP_Query(); + $q->parse_query( + array( + 'attachment' => 'my-image', + ) + ); + + $this->assertSame( 'my-image', $q->query_vars['attachment'] ); + $this->assertTrue( $q->is_attachment ); + $this->assertTrue( $q->is_single ); + } + + /** + * Ensure non-scalar post type query var does not cause a fatal error. + * + * @ticket 65123 + */ + public function test_parse_query_post_type_query_var_array() { + register_post_type( + 'wptests_cpt', + array( + 'public' => true, + 'query_var' => 'wptests_cpt', + ) + ); + + $q = new WP_Query( + array( + 'post_type' => 'wptests_cpt', + 'wptests_cpt' => array( 'foo' => 'bar' ), + ) + ); + + unregister_post_type( 'wptests_cpt' ); + + $this->assertIsArray( $q->posts ); + } + /** * Tests that a fatal error is not thrown when a hierarchical taxonomy query var * passed to wp_basename() in ::parse_tax_query() is an array instead of a string.