[CODE PATCH] Type Bug in class-rspw-in-operator.php Affecting Rules with Non-Arr

  • Thomas Lloancy

    (@tlloancy)


    5 months, 1 week ago

    Hello,

    I am using your plugin wc-restricted-shipping-and-payment. I encountered stability issues where some of my condition rules were not triggering correctly or could potentially lead to unexpected behavior when rule values were saved as non-array types (like an empty string ''). I suspect this regression may have appeared since the last plugin update.

    The core issue is a lack of type enforcement before calling array_intersect(), which can lead to runtime errors or incorrect logic application when facing malformed input (e.g., a field was left empty by the user in the admin).

    To fix this vulnerability and ensure the plugin is robust against user error (by handling unexpected/scalar inputs gracefully), I applied a patch to the following file:

    /includes/operators/class-rspw-in-operator.phpApplied Code Patch

    This correction ensures that both the $needle (rule value) and $haystack (cart data) are valid arrays before processing:

    Initial Code:

    PHP

    public function match( $needle, $haystack ) {
                 return ! empty( array_intersect( $needle, $haystack ) );
         }

    Patched Code (Ensuring Resiliency):

    PHP

    public function match( $needle, $haystack ) {
     // --- START OF CRITICAL STABILITY FIX ---

     // Ensure $needle (the set to check) is a valid array, and clean up empty string casts
     if ( ! is_array( $needle ) ) {
         $needle = (array) $needle;
         if ( 1 === count( $needle ) && '' === $needle[0] ) {
             $needle = array();
         }
     }

     // Ensure $haystack (the data source) is a valid array, and clean up empty string casts
     if ( ! is_array( $haystack ) ) {
         $haystack = (array) $haystack;
         if ( 1 === count( $haystack ) && '' === $haystack[0] ) {
             $haystack = array();
         }
     }
     // --- END OF CRITICAL STABILITY FIX ---

     return ! empty( array_intersect( $needle, $haystack ) );
}

    Summary

    This fix enhances the plugin’s stability by preventing logical failures when user-configurable fields are left empty or saved with unexpected data types. I recommend integrating this patch into the next release for improved code robustness. Unless you ensure that these cases are not possible anymore. Should improve your user base.

    Thank you.

You must be logged in to reply to this topic.