WordPress.org
Get WordPress

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#33710 closed defect (bug) (fixed)

Displaying a comment whose comment_parent has been deleted results in PHP Notices

Reported by: rachelbaker's profile rachelbaker Owned by: rachelbaker's profile rachelbaker
Milestone: 4.4 Priority: normal
Severity: normal Version:
Component: Comments Keywords: has-patch commit
Focuses: administration Cc:

Description

There are missing checks in the Comments (wp-admin/edit-comments.php) and Edit Comment (wp-admin/comment.php?action=editcomment&c={comment_ID}) screens for comments that have a comment_parentvalue. If the comment parent was deleted , or for some reason doesn't exist, get_comment( $comment->comment_parent ) won't return an object. In both screens we do not check that we have a parent object before calling get_comment_link() or get_comment_author(), both of which also assume a comment object exists, which result in PHP Notice: Trying to get property of non-object messages.

Assuming your PHP error reporting level includes Notices, you log or display the errors, and you enjoy replicating bugs; here are the steps to reproduce:

  1. Create a test comment
  2. Reply to the test comment
  3. Delete the test comment created in step 1
  4. View the Comments screen
  5. Note the PHP Notices (example https://cloudup.com/cpH6cjQry-a)
  6. Locate your parentless comment (the reply created in step 2) in the list table and click the "Edit" link
  7. View the Edit Comment screen
  8. Note the PHP Notices (example: https://cloudup.com/ckUOLcdVCY5)
  9. Throw laptop out window

Attachments (4)

33710.patch (2.0 KB) - added by rachelbaker 9 years ago.
33710.1.patch (2.0 KB) - added by rachelbaker 9 years ago.
Refreshed patch to remove esc_attr
33710.2.patch (1.9 KB) - added by rachelbaker 9 years ago.
33710.diff (4.2 KB) - added by wonderboymusic 9 years ago.

Download all attachments as: .zip

Change History (13)

#1 @rachelbaker
9 years ago

  • Owner set to rachelbaker
  • Status changed from new to accepted

@rachelbaker
9 years ago

#2 @rachelbaker
9 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Awaiting Review to 4.4

Patch checks if the comment parent object exists and if it does escapes the comment parent author's name.

#4 @SergeyBiryukov
9 years ago

esc_attr() is only useful for HTML attributes, which is not the case here.

Comment author name already runs through sanitize_text_field() and KSES filters, it should be safe.

This ticket was mentioned in Slack in #core by sergey. View the logs.
9 years ago

@rachelbaker
9 years ago

Refreshed patch to remove esc_attr

#6 @wonderboymusic
9 years ago

  • Keywords needs-refresh added

I churned the Comment List Table code, patch needs a reboot

@rachelbaker
9 years ago

#7 @rachelbaker
9 years ago

  • Keywords commit added; needs-refresh removed

@wonderboymusic

attachment:33710.2.patch refreshes the patch. Added commit keyword for your consideration.

#8 @wonderboymusic
9 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 34015:

Comments/PHP Notices: check that a parent comment exists before displaying an orphan's link to it in the admin.

Props rachelbaker.
Fixes #33710.

@wonderboymusic
9 years ago

#9 @wonderboymusic
9 years ago

In 34038:

After [34015], handle orphaned comments in the Dashboard comments widget. Pass full $comment versus just passing the comment ID when possible.

See #33710.

Note: See TracTickets for help on using tickets.