From a71d2087856a17d9135b73fcdba30d4d336e7bf0 Mon Sep 17 00:00:00 2001
From: Felix Arntz <felix-arntz@leaves-and-love.net>
Date: Thu, 10 Jan 2019 21:06:49 +0000
Subject: [PATCH] General: Fix problematic string to array parsing.

WordPress has historically often used code like `preg_split( '/[\s,]+/', $var )` to parse a string of comma-separated values into an array. However, this approach was causing an empty string to not be parsed into an empty array as expected, but rather into an array with the empty string as its sole element.

This was among other areas causing problems in the REST API where passing an empty request parameter could cause that request to fail because, instead of it being ignored, that parameter would be compared against the valid values for it, which typically do not include an empty string.

Props david.binda, sstoqnov.
Fixes #43977.

Built from https://develop.svn.wordpress.org/trunk@44546


git-svn-id: http://core.svn.wordpress.org/trunk@44377 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/bookmark.php                      | 18 +++++------
 wp-includes/class-wp-comment-query.php        | 18 +++++------
 wp-includes/functions.php                     | 30 ++++++++++++-------
 wp-includes/post.php                          |  2 +-
 wp-includes/rest-api.php                      | 10 +++----
 .../endpoints/class-wp-rest-controller.php    |  2 +-
 wp-includes/version.php                       |  2 +-
 7 files changed, 43 insertions(+), 39 deletions(-)

diff --git a/wp-includes/bookmark.php b/wp-includes/bookmark.php
index b0de276df4..32499541d4 100644
--- a/wp-includes/bookmark.php
+++ b/wp-includes/bookmark.php
@@ -171,13 +171,13 @@ function get_bookmarks( $args = '' ) {
 		$r['exclude']       = '';  //ignore exclude, category, and category_name params if using include
 		$r['category']      = '';
 		$r['category_name'] = '';
-		$inclinks           = preg_split( '/[\s,]+/', $r['include'] );
+		$inclinks           = wp_parse_id_list( $r['include'] );
 		if ( count( $inclinks ) ) {
 			foreach ( $inclinks as $inclink ) {
 				if ( empty( $inclusions ) ) {
-					$inclusions = ' AND ( link_id = ' . intval( $inclink ) . ' ';
+					$inclusions = ' AND ( link_id = ' . $inclink . ' ';
 				} else {
-					$inclusions .= ' OR link_id = ' . intval( $inclink ) . ' ';
+					$inclusions .= ' OR link_id = ' . $inclink . ' ';
 				}
 			}
 		}
@@ -188,13 +188,13 @@ function get_bookmarks( $args = '' ) {
 
 	$exclusions = '';
 	if ( ! empty( $r['exclude'] ) ) {
-		$exlinks = preg_split( '/[\s,]+/', $r['exclude'] );
+		$exlinks = wp_parse_id_list( $r['exclude'] );
 		if ( count( $exlinks ) ) {
 			foreach ( $exlinks as $exlink ) {
 				if ( empty( $exclusions ) ) {
-					$exclusions = ' AND ( link_id <> ' . intval( $exlink ) . ' ';
+					$exclusions = ' AND ( link_id <> ' . $exlink . ' ';
 				} else {
-					$exclusions .= ' AND link_id <> ' . intval( $exlink ) . ' ';
+					$exclusions .= ' AND link_id <> ' . $exlink . ' ';
 				}
 			}
 		}
@@ -223,13 +223,13 @@ function get_bookmarks( $args = '' ) {
 	$category_query = '';
 	$join           = '';
 	if ( ! empty( $r['category'] ) ) {
-		$incategories = preg_split( '/[\s,]+/', $r['category'] );
+		$incategories = wp_parse_id_list( $r['category'] );
 		if ( count( $incategories ) ) {
 			foreach ( $incategories as $incat ) {
 				if ( empty( $category_query ) ) {
-					$category_query = ' AND ( tt.term_id = ' . intval( $incat ) . ' ';
+					$category_query = ' AND ( tt.term_id = ' . $incat . ' ';
 				} else {
-					$category_query .= ' OR tt.term_id = ' . intval( $incat ) . ' ';
+					$category_query .= ' OR tt.term_id = ' . $incat . ' ';
 				}
 			}
 		}
diff --git a/wp-includes/class-wp-comment-query.php b/wp-includes/class-wp-comment-query.php
index af05326915..95ab3a6b35 100644
--- a/wp-includes/class-wp-comment-query.php
+++ b/wp-includes/class-wp-comment-query.php
@@ -482,9 +482,11 @@ class WP_Comment_Query {
 
 		// 'status' accepts an array or a comma-separated string.
 		$status_clauses = array();
-		$statuses       = $this->query_vars['status'];
-		if ( ! is_array( $statuses ) ) {
-			$statuses = preg_split( '/[\s,]+/', $statuses );
+		$statuses       = wp_parse_list( $this->query_vars['status'] );
+
+		// Empty 'status' should be interpreted as 'all'.
+		if ( empty( $statuses ) ) {
+			$statuses = array( 'all' );
 		}
 
 		// 'any' overrides other statuses.
@@ -517,14 +519,10 @@ class WP_Comment_Query {
 
 		// User IDs or emails whose unapproved comments are included, regardless of $status.
 		if ( ! empty( $this->query_vars['include_unapproved'] ) ) {
-			$include_unapproved = $this->query_vars['include_unapproved'];
+			$include_unapproved = wp_parse_list( $this->query_vars['include_unapproved'] );
 
-			// Accepts arrays or comma-separated strings.
-			if ( ! is_array( $include_unapproved ) ) {
-				$include_unapproved = preg_split( '/[\s,]+/', $include_unapproved );
-			}
-
-			$unapproved_ids = $unapproved_emails = array();
+			$unapproved_ids    = array();
+			$unapproved_emails = array();
 			foreach ( $include_unapproved as $unapproved_identifier ) {
 				// Numeric values are assumed to be user ids.
 				if ( is_numeric( $unapproved_identifier ) ) {
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index 39de1470e2..c790f3df39 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -3822,6 +3822,22 @@ function wp_parse_args( $args, $defaults = '' ) {
 	return $r;
 }
 
+/**
+ * Cleans up an array, comma- or space-separated list of scalar values.
+ *
+ * @since 5.1.0
+ *
+ * @param array|string $list List of values.
+ * @return array Sanitized array of values.
+ */
+function wp_parse_list( $list ) {
+	if ( ! is_array( $list ) ) {
+		return preg_split( '/[\s,]+/', $list, -1, PREG_SPLIT_NO_EMPTY );
+	}
+
+	return $list;
+}
+
 /**
  * Clean up an array, comma- or space-separated list of IDs.
  *
@@ -3831,9 +3847,7 @@ function wp_parse_args( $args, $defaults = '' ) {
  * @return array Sanitized array of IDs.
  */
 function wp_parse_id_list( $list ) {
-	if ( ! is_array( $list ) ) {
-		$list = preg_split( '/[\s,]+/', $list );
-	}
+	$list = wp_parse_list( $list );
 
 	return array_unique( array_map( 'absint', $list ) );
 }
@@ -3847,15 +3861,9 @@ function wp_parse_id_list( $list ) {
  * @return array Sanitized array of slugs.
  */
 function wp_parse_slug_list( $list ) {
-	if ( ! is_array( $list ) ) {
-		$list = preg_split( '/[\s,]+/', $list );
-	}
+	$list = wp_parse_list( $list );
 
-	foreach ( $list as $key => $value ) {
-		$list[ $key ] = sanitize_title( $value );
-	}
-
-	return array_unique( $list );
+	return array_unique( array_map( 'sanitize_title', $list ) );
 }
 
 /**
diff --git a/wp-includes/post.php b/wp-includes/post.php
index f3696341da..565c243bbc 100644
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -5088,7 +5088,7 @@ function get_pages( $args = array() ) {
 
 	$author_query = '';
 	if ( ! empty( $r['authors'] ) ) {
-		$post_authors = preg_split( '/[\s,]+/', $r['authors'] );
+		$post_authors = wp_parse_list( $r['authors'] );
 
 		if ( ! empty( $post_authors ) ) {
 			foreach ( $post_authors as $post_author ) {
diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php
index 1c8bb4620e..e0807e7696 100644
--- a/wp-includes/rest-api.php
+++ b/wp-includes/rest-api.php
@@ -679,7 +679,7 @@ function rest_filter_response_fields( $response, $server, $request ) {
 
 	$data = $response->get_data();
 
-	$fields = is_array( $request['_fields'] ) ? $request['_fields'] : preg_split( '/[\s,]+/', $request['_fields'] );
+	$fields = wp_parse_list( $request['_fields'] );
 
 	if ( 0 === count( $fields ) ) {
 		return $response;
@@ -1109,8 +1109,8 @@ function rest_get_avatar_sizes() {
  */
 function rest_validate_value_from_schema( $value, $args, $param = '' ) {
 	if ( 'array' === $args['type'] ) {
-		if ( ! is_array( $value ) ) {
-			$value = preg_split( '/[\s,]+/', $value );
+		if ( ! is_null( $value ) ) {
+			$value = wp_parse_list( $value );
 		}
 		if ( ! wp_is_numeric_array( $value ) ) {
 			/* translators: 1: parameter, 2: type name */
@@ -1253,9 +1253,7 @@ function rest_sanitize_value_from_schema( $value, $args ) {
 		if ( empty( $args['items'] ) ) {
 			return (array) $value;
 		}
-		if ( ! is_array( $value ) ) {
-			$value = preg_split( '/[\s,]+/', $value );
-		}
+		$value = wp_parse_list( $value );
 		foreach ( $value as $index => $v ) {
 			$value[ $index ] = rest_sanitize_value_from_schema( $v, $args['items'] );
 		}
diff --git a/wp-includes/rest-api/endpoints/class-wp-rest-controller.php b/wp-includes/rest-api/endpoints/class-wp-rest-controller.php
index 6dc971517d..d610504692 100644
--- a/wp-includes/rest-api/endpoints/class-wp-rest-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-controller.php
@@ -532,7 +532,7 @@ abstract class WP_REST_Controller {
 		if ( ! isset( $request['_fields'] ) ) {
 			return $fields;
 		}
-		$requested_fields = is_array( $request['_fields'] ) ? $request['_fields'] : preg_split( '/[\s,]+/', $request['_fields'] );
+		$requested_fields = wp_parse_list( $request['_fields'] );
 		if ( 0 === count( $requested_fields ) ) {
 			return $fields;
 		}
diff --git a/wp-includes/version.php b/wp-includes/version.php
index b225cb356b..5d8cbfe002 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.1-alpha-44545';
+$wp_version = '5.1-alpha-44546';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.