From faf386885c39500aae529ab738618602ab1e7114 Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Tue, 3 Sep 2024 12:14:38 -0400 Subject: [PATCH] image-cdn: Avoid fatal on bad img width/height (#39208) If the `` tag has a value for `width` or `height` that's neither an integer nor a percentage, this will cause a fatal error when the value is attempted to be used as an integer. Add validation to avoid this. --- .../image-cdn/changelog/fix-image-cdn-fatal | 4 ++ .../image-cdn/src/class-image-cdn.php | 4 +- .../tests/php/test_class.image_cdn.php | 42 +++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 projects/packages/image-cdn/changelog/fix-image-cdn-fatal diff --git a/projects/packages/image-cdn/changelog/fix-image-cdn-fatal b/projects/packages/image-cdn/changelog/fix-image-cdn-fatal new file mode 100644 index 0000000000000..ee6efceb66701 --- /dev/null +++ b/projects/packages/image-cdn/changelog/fix-image-cdn-fatal @@ -0,0 +1,4 @@ +Significance: patch +Type: fixed + +Avoid a fatal error if an `` tag has width or height that's not an integer or percentage. diff --git a/projects/packages/image-cdn/src/class-image-cdn.php b/projects/packages/image-cdn/src/class-image-cdn.php index 13921df4355a9..3ed4e30dedd3f 100644 --- a/projects/packages/image-cdn/src/class-image-cdn.php +++ b/projects/packages/image-cdn/src/class-image-cdn.php @@ -449,11 +449,11 @@ public static function filter_the_content( $content ) { // First, check the image tag. Note we only check for pixel sizes now; HTML4 percentages have never been correctly // supported, so we stopped pretending to support them in JP 9.1.0. - if ( ! is_string( $width ) || str_contains( $width, '%' ) ) { + if ( ! is_string( $width ) || ! ctype_digit( $width ) ) { $width = false; } - if ( ! is_string( $height ) || str_contains( $height, '%' ) ) { + if ( ! is_string( $height ) || ! ctype_digit( $height ) ) { $height = false; } diff --git a/projects/packages/image-cdn/tests/php/test_class.image_cdn.php b/projects/packages/image-cdn/tests/php/test_class.image_cdn.php index 241b364a5044d..ae52b3d9d04ce 100644 --- a/projects/packages/image-cdn/tests/php/test_class.image_cdn.php +++ b/projects/packages/image-cdn/tests/php/test_class.image_cdn.php @@ -1220,6 +1220,48 @@ public function test_image_cdn_filter_the_content_percentage_width_and_height() $this->assertEquals( '1024,768', $query_params['fit'] ); } + /** + * Tests that Photon ignores empty dimensions. It should fall back to e.g. a "size-foo" class. + * + * @covers Image_CDN::filter_the_content + */ + public function test_image_cdn_filter_the_content_empty_width_and_height() { + $sample_html = ''; + $filtered_content = Image_CDN::filter_the_content( $sample_html ); + $attributes = wp_kses_hair( $filtered_content, wp_allowed_protocols() ); + $query_str = wp_parse_url( $attributes['src']['value'], PHP_URL_QUERY ); + parse_str( $query_str, $query_params ); + + $this->assertArrayHasKey( 'width', $attributes ); + $this->assertSame( '1024', $attributes['width']['value'] ); + $this->assertArrayHasKey( 'height', $attributes ); + $this->assertSame( '768', $attributes['height']['value'] ); + + $this->assertArrayHasKey( 'fit', $query_params ); + $this->assertEquals( '1024,768', $query_params['fit'] ); + } + + /** + * Tests that Photon ignores bogus dimensions. It should fall back to e.g. a "size-foo" class. + * + * @covers Image_CDN::filter_the_content + */ + public function test_image_cdn_filter_the_content_bogus_width_and_height() { + $sample_html = ''; + $filtered_content = Image_CDN::filter_the_content( $sample_html ); + $attributes = wp_kses_hair( $filtered_content, wp_allowed_protocols() ); + $query_str = wp_parse_url( $attributes['src']['value'], PHP_URL_QUERY ); + parse_str( $query_str, $query_params ); + + $this->assertArrayHasKey( 'width', $attributes ); + $this->assertSame( '1024', $attributes['width']['value'] ); + $this->assertArrayHasKey( 'height', $attributes ); + $this->assertSame( '768', $attributes['height']['value'] ); + + $this->assertArrayHasKey( 'fit', $query_params ); + $this->assertEquals( '1024,768', $query_params['fit'] ); + } + /** * Tests that Photon will filter for an AMP response. *