Date/Time: Prevent a PHP exception when inserting posts with a partially malformed post_date.

JJJ · JJJ · commit 8b5dd7af60a2 · 2025-11-06T23:35:52.000Z
This commit updates `wp_resolve_post_date()` to use a regular expression for parsing the date string into year, month, and day matches. This approach handles missing leading zeros more reliably than `substr()` while remaining performant (see #57683). It also adds checks and type-casting to `wp_checkdate()` variables before passing them into PHP's `checkdate()` function to avoid the potential for a `TypeError` in PHP 8 and newer (see #54186). Lastly, it includes 2 new unit tests (with data providers) to cover an array of valid and invalid date formats (YYYY-MM-DD, YYYY-MM-DD HH:MM:SS, ISO 8601, RSS, leap years, malformed inputs, etc...) Props alordiel, desrosj, johnbillion, johnjamesjacoby, johnregan3, modius5150, nacin, pbearne. Fixes #26798. git-svn-id: https://develop.svn.wordpress.org/trunk@61172 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -7397,6 +7397,11 @@ function wp_is_stream( $path ) {
  * @return bool True if valid date, false if not valid date.
  */
 function wp_checkdate( $month, $day, $year, $source_date ) {
+	$checkdate = false;
+	if ( is_numeric( $month ) && is_numeric( $day ) && is_numeric( $year ) ) {
+		$checkdate = checkdate( (int) $month, (int) $day, (int) $year );
+	}
+
 	/**
 	 * Filters whether the given date is valid for the Gregorian calendar.
 	 *
@@ -7405,7 +7410,7 @@ function wp_checkdate( $month, $day, $year, $source_date ) {
 	 * @param bool   $checkdate   Whether the given date is valid.
 	 * @param string $source_date Date to check.
 	 */
-	return apply_filters( 'wp_checkdate', checkdate( $month, $day, $year ), $source_date );
+	return apply_filters( 'wp_checkdate', $checkdate, $source_date );
 }
 
 /**
diff --git a/src/wp-includes/post.php b/src/wp-includes/post.php
@@ -5431,11 +5431,13 @@ function wp_resolve_post_date( $post_date = '', $post_date_gmt = '' ) {
 	}
 
 	// Validate the date.
-	$month = (int) substr( $post_date, 5, 2 );
-	$day   = (int) substr( $post_date, 8, 2 );
-	$year  = (int) substr( $post_date, 0, 4 );
+	preg_match( '/^(\d{4})-(\d{1,2})-(\d{1,2})/', $post_date, $matches );
 
-	$valid_date = wp_checkdate( $month, $day, $year, $post_date );
+	if ( empty( $matches ) || ! is_array( $matches ) || count( $matches ) < 4 ) {
+		return false;
+	}
+
+	$valid_date = wp_checkdate( $matches[2], $matches[3], $matches[1], $post_date );
 
 	if ( ! $valid_date ) {
 		return false;
diff --git a/tests/phpunit/tests/post.php b/tests/phpunit/tests/post.php
@@ -814,4 +814,241 @@ public function test_use_block_editor_for_post() {
 		$this->assertTrue( use_block_editor_for_post( $restless_post_id ) );
 		remove_filter( 'use_block_editor_for_post', '__return_true' );
 	}
+
+	/**
+	 * @ticket 26798
+	 *
+	 * @dataProvider data_wp_insert_post_handle_malformed_post_date
+	 *
+	 * The purpose of this test is to ensure that invalid dates do not
+	 * cause PHP errors when wp_insert_post() is called, and that the
+	 * posts are not actually "inserted" (created).
+	 */
+	public function test_wp_insert_post_handle_malformed_post_date( $input, $expected ) {
+		$post = array(
+			'post_author'  => self::$editor_id,
+			'post_status'  => 'publish',
+			'post_content' => 'content',
+			'post_title'   => 'title',
+			'post_date'    => $input,
+		);
+
+		// Inserting the post should fail gracefully.
+		$id     = wp_insert_post( $post );
+		$actual = ! empty( $id );
+
+		// Compare if post was (or was not) inserted.
+		$this->assertSame( $actual, $expected );
+	}
+
+	/**
+	 * @ticket 26798
+	 */
+	public function data_wp_insert_post_handle_malformed_post_date() {
+		return array(
+			array(
+				'2012-01-01',
+				true,
+			),
+			// 24-hour time format.
+			array(
+				'2012-01-01 13:00:00',
+				true,
+			),
+			// ISO8601 date with timezone.
+			array(
+				'2016-01-16T00:00:00Z',
+				true,
+			),
+			// ISO8601 date with timezone offset.
+			array(
+				'2016-01-16T00:00:00+0100',
+				true,
+			),
+			// RFC3339 Format.
+			array(
+				'1970-01-01T01:00:00+01:00',
+				true,
+			),
+			// RSS Format
+			array(
+				'1970-01-01T01:00:00+0100',
+				true,
+			),
+			// Leap year.
+			array(
+				'2012-02-29',
+				true,
+			),
+			// Strange formats.
+			array(
+				'2012-01-01 0',
+				true,
+			),
+			array(
+				'2012-01-01 25:00:00',
+				true,
+			),
+			array(
+				'2012-01-01 00:60:00',
+				true,
+			),
+			// Failures.
+			array(
+				'2012-08-0z',
+				false,
+			),
+			array(
+				'2012-08-1',
+				false,
+			),
+			array(
+				'201-01-08 00:00:00',
+				false,
+			),
+			array(
+				'201-01-08 00:60:00',
+				false,
+			),
+			array(
+				'201a-01-08 00:00:00',
+				false,
+			),
+			array(
+				'2012-1-08 00:00:00',
+				false,
+			),
+			array(
+				'2012-31-08 00:00:00',
+				false,
+			),
+			array(
+				'2012-01-8 00:00:00',
+				false,
+			),
+			array(
+				'2012-01-48 00:00:00',
+				false,
+			),
+			// Not a leap year.
+			array(
+				'2011-02-29',
+				false,
+			),
+		);
+	}
+
+	/**
+	 * @ticket 26798
+	 *
+	 * @dataProvider data_wp_resolve_post_date_regex
+	 *
+	 * Tests the regex inside of wp_resolve_post_date(), with
+	 * the emphasis on the date format (not the time).
+	 */
+	public function test_wp_resolve_post_date_regex( $date, $expected ) {
+		// Attempt to resolve post date.
+		$actual = wp_resolve_post_date( $date );
+
+		// Compare if resolved post date is (or is not) valid.
+		$this->assertSame( $actual, $expected );
+	}
+
+	/**
+	 * @ticket 26798
+	 */
+	public function data_wp_resolve_post_date_regex() {
+		return array(
+			array(
+				'2012-01-01',
+				'2012-01-01',
+			),
+			array(
+				'2012-01-01 00:00:00',
+				'2012-01-01 00:00:00',
+			),
+			// ISO8601 date with timezone.
+			array(
+				'2016-01-16T00:00:00Z',
+				'2016-01-16T00:00:00Z',
+			),
+			// ISO8601 date with timezone offset.
+			array(
+				'2016-01-16T00:00:00+0100',
+				'2016-01-16T00:00:00+0100',
+			),
+			// RFC3339 Format.
+			array(
+				'1970-01-01T01:00:00+01:00',
+				'1970-01-01T01:00:00+01:00',
+			),
+			// RSS Format
+			array(
+				'1970-01-01T01:00:00+0100',
+				'1970-01-01T01:00:00+0100',
+			),
+			// 24-hour time format.
+			array(
+				'2012-01-01 13:00:00',
+				'2012-01-01 13:00:00',
+			),
+			array(
+				'2016-01-16T00:0',
+				'2016-01-16T00:0',
+			),
+			array(
+				'2012-01-01 0',
+				'2012-01-01 0',
+			),
+			array(
+				'2012-01-01 00:00',
+				'2012-01-01 00:00',
+			),
+			array(
+				'2012-01-01 25:00:00',
+				'2012-01-01 25:00:00',
+			),
+			array(
+				'2012-01-01 00:60:00',
+				'2012-01-01 00:60:00',
+			),
+			array(
+				'2012-01-01 00:00:60',
+				'2012-01-01 00:00:60',
+			),
+			array(
+				'201-01-08',
+				false,
+			),
+			array(
+				'201a-01-08',
+				false,
+			),
+			array(
+				'2012-1-08',
+				false,
+			),
+			array(
+				'2012-31-08',
+				false,
+			),
+			array(
+				'2012-01-8',
+				false,
+			),
+			array(
+				'2012-01-48 00:00:00',
+				false,
+			),
+			// Leap year.
+			array(
+				'2012-02-29',
+				'2012-02-29',
+			),
+			array(
+				'2011-02-29',
+				false,
+			),
+		);
+	}
 }
