Fixed getQuotedUserIds does not validate post id's are ints, and MySQL reacts poorly

[Xon]

Affected version

2.1.1

While this function (XF\Service\Post\Preparer::getQuotedUserIds) quotes the post id's parsed from the [quote] tag, a malformed tag can cause non-integers to be passed to the MySQL. This then causes type juggling and weird behaviour.

For example;

explain
SELECT post_id, user_id
FROM xf_post
WHERE post_id IN (3021963, '3025958\"')

+------+-------------+---------+-------+---------------+---------+---------+------+----------+--------------------------+
| id   | select_type | table   | type  | possible_keys | key     | key_len | ref  | rows     | Extra                    |
+------+-------------+---------+-------+---------------+---------+---------+------+----------+--------------------------+
|    1 | SIMPLE      | xf_post | index | PRIMARY       | user_id | 4       | NULL | 33638006 | Using where; Using index |
+------+-------------+---------+-------+---------------+---------+---------+------+----------+--------------------------+

The expected query plan should be;

explain
SELECT post_id, user_id FROM xf_post WHERE post_id IN (3021963, 3025958);

+------+-------------+---------+-------+---------------+---------+---------+------+------+-------------+
| id   | select_type | table   | type  | possible_keys | key     | key_len | ref  | rows | Extra       |
+------+-------------+---------+-------+---------------+---------+---------+------+------+-------------+
|    1 | SIMPLE      | xf_post | range | PRIMARY       | PRIMARY | 4       | NULL |    2 | Using where |
+------+-------------+---------+-------+---------------+---------+---------+------+------+-------------+

 

[XF Bug Bot]

Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.2).

Change log:

Cast quoted post IDs to integers before querying for their user IDs.

Any changes made as a result of this issue being resolved may not be rolled out here until later.