I18N: Harden against undefined index in _load_script_textdomain_from_src().

westonruter · westonruter · commit 0fced49b8dbc · 2026-05-02T05:54:39.000Z
This guards against an undefined index warning being raised when a script or script module is registered with a URL that lacks a path component. This also adds full PHPStan type definitions for `wp_parse_url()`, ensuring that the `_load_script_textdomain_from_src()` function has no PHPStan errors at rule level 10. Developed in #11690 Follow-up to r62278. Props westonruter, manzoorwanijk, mukesh27. See #65015, #64238. git-svn-id: https://develop.svn.wordpress.org/trunk@62293 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/http.php b/src/wp-includes/http.php
@@ -716,6 +716,26 @@ function ms_allowed_http_request_hosts( $is_external, $host ) {
  *               When a specific component has been requested: null if the component
  *               doesn't exist in the given URL; a string or - in the case of
  *               PHP_URL_PORT - integer when it does. See parse_url()'s return values.
+ *
+ * @phpstan-param int<-1, 7> $component
+ * @phpstan-return (
+ *     $component is -1
+ *         ? false|array{
+ *               scheme?: string,
+ *               host?: string,
+ *               port?: int<0, 65535>,
+ *               user?: string,
+ *               pass?: string,
+ *               path?: string,
+ *               query?: string,
+ *               fragment?: string,
+ *           }
+ *         : (
+ *             $component is 2
+ *                 ? int<0, 65535>|null
+ *                 : string|null
+ *         )
+ * )
  */
 function wp_parse_url( $url, $component = -1 ) {
 	$to_unset = array();
@@ -763,6 +783,36 @@ function wp_parse_url( $url, $component = -1 ) {
  *               When a specific component has been requested: null if the component
  *               doesn't exist in the given URL; a string or - in the case of
  *               PHP_URL_PORT - integer when it does. See parse_url()'s return values.
+ *
+ * @phpstan-param false|array{
+ *     scheme?: string,
+ *     host?: string,
+ *     port?: int<0, 65535>,
+ *     user?: string,
+ *     pass?: string,
+ *     path?: string,
+ *     query?: string,
+ *     fragment?: string,
+ * } $url_parts
+ * @phpstan-param int<-1, 7> $component
+ * @phpstan-return (
+ *     $component is -1
+ *         ? false|array{
+ *               scheme?: string,
+ *               host?: string,
+ *               port?: int<0, 65535>,
+ *               user?: string,
+ *               pass?: string,
+ *               path?: string,
+ *               query?: string,
+ *               fragment?: string,
+ *           }
+ *         : (
+ *             $component is 2
+ *                 ? int<0, 65535>|null
+ *                 : string|null
+ *         )
+ * )
  */
 function _get_component_from_parsed_url_array( $url_parts, $component = -1 ) {
 	if ( -1 === $component ) {
@@ -789,6 +839,9 @@ function _get_component_from_parsed_url_array( $url_parts, $component = -1 ) {
  *
  * @param int $constant PHP_URL_* constant.
  * @return string|false The named key or false.
+ *
+ * @phpstan-param int<-1, 7> $constant
+ * @phpstan-return 'scheme'|'host'|'port'|'user'|'pass'|'path'|'query'|'fragment'|false
  */
 function _wp_translate_php_url_constant_to_key( $constant ) {
 	$translation = array(
diff --git a/src/wp-includes/l10n.php b/src/wp-includes/l10n.php
@@ -1206,6 +1206,7 @@ function load_script_module_textdomain( string $id, string $domain = 'default',
  * @return string|false The JSON-encoded translated strings on success, false otherwise.
  */
 function _load_script_textdomain_from_src( string $handle, string $src, string $domain, string $path, bool $is_module ) {
+	/** @var WP_Textdomain_Registry $wp_textdomain_registry */
 	global $wp_textdomain_registry;
 
 	$locale = determine_locale();
@@ -1214,7 +1215,9 @@ function _load_script_textdomain_from_src( string $handle, string $src, string $
 		$path = $wp_textdomain_registry->get( $domain, $locale );
 	}
 
-	$path = untrailingslashit( $path );
+	if ( $path ) {
+		$path = untrailingslashit( $path );
+	}
 
 	// If a path was given and the handle file exists simply return it.
 	$file_base       = 'default' === $domain ? $locale : $domain . '-' . $locale;
@@ -1231,8 +1234,17 @@ function _load_script_textdomain_from_src( string $handle, string $src, string $
 	$relative       = false;
 	$languages_path = WP_LANG_DIR;
 
-	$src_url     = wp_parse_url( $src );
+	$src_url = wp_parse_url( $src );
+	if ( ! $src_url ) {
+		return load_script_translations( false, $handle, $domain );
+	}
+	$src_url['path'] ??= '';
+
 	$content_url = wp_parse_url( content_url() );
+	if ( ! $content_url ) {
+		return load_script_translations( false, $handle, $domain );
+	}
+
 	$plugins_url = wp_parse_url( plugins_url() );
 	$site_url    = wp_parse_url( site_url() );
 	$theme_root  = get_theme_root();
@@ -1304,7 +1316,7 @@ function _load_script_textdomain_from_src( string $handle, string $src, string $
 	$relative = apply_filters( 'load_script_textdomain_relative_path', $relative, $src, $is_module );
 
 	// If the source is not from WP.
-	if ( false === $relative ) {
+	if ( ! is_string( $relative ) ) {
 		return load_script_translations( false, $handle, $domain );
 	}
 
diff --git a/tests/phpunit/tests/l10n/loadScriptTextdomain.php b/tests/phpunit/tests/l10n/loadScriptTextdomain.php
@@ -172,4 +172,102 @@ public function test_does_not_throw_deprecation_notice_for_rtrim_with_default_pa
 		$expected = file_get_contents( DIR_TESTDATA . '/languages/en_US-813e104eb47e13dd4cc5af844c618754.json' );
 		$this->assertSame( $expected, load_script_textdomain( $handle ) );
 	}
+
+	/**
+	 * Tests that an unparseable script source URL short-circuits to
+	 * `load_script_translations( false, ... )` instead of falling through
+	 * to the relative-path computation.
+	 *
+	 * @ticket 65015
+	 */
+	public function test_unparseable_src_returns_false(): void {
+		$handle = 'test-unparseable-src';
+		$src    = 'http:///example';
+
+		$this->assertFalse( wp_parse_url( $src ), 'Test prerequisite failed: the test src should be unparseable.' );
+
+		wp_enqueue_script( $handle, $src, array(), null );
+
+		$this->assertFalse( load_script_textdomain( $handle, 'default', DIR_TESTDATA . '/languages' ) );
+	}
+
+	/**
+	 * Tests that an unparseable `content_url()` return value short-circuits
+	 * to `load_script_translations( false, ... )` instead of computing
+	 * `$relative` from a corrupted parsed-URL array.
+	 *
+	 * The `MockAction` spy on `pre_load_script_translations` is necessary
+	 * here because the function's tail end also calls `load_script_translations( false, ... )`,
+	 * so a regression that bypasses the early return would still return false
+	 * via the fallback path. Asserting on the recorded `$file` arguments pins
+	 * the test to the intended branch.
+	 *
+	 * @ticket 65015
+	 */
+	public function test_unparseable_content_url_returns_false(): void {
+		$handle = 'test-unparseable-content-url';
+		$src    = '/wp-includes/js/script.js';
+
+		add_filter(
+			'content_url',
+			static function () {
+				return 'http:///example';
+			}
+		);
+
+		$mock = new MockAction();
+		add_filter( 'pre_load_script_translations', array( $mock, 'filter' ), 10, 4 );
+
+		wp_enqueue_script( $handle, $src, array(), null );
+
+		$this->assertFalse( load_script_textdomain( $handle, 'default', DIR_TESTDATA . '/languages' ) );
+		$this->assertSame(
+			array(
+				DIR_TESTDATA . '/languages/en_US-' . $handle . '.json',
+				false,
+			),
+			array_column( $mock->get_args(), 1 ),
+			'Expected the unparseable content_url branch to short-circuit before any relative-path lookup.'
+		);
+	}
+
+	/**
+	 * Tests that the `load_script_textdomain_relative_path` filter returning
+	 * a non-string, non-false value (e.g., a callback that forgets to return)
+	 * short-circuits via the `! is_string( $relative )` guard rather than
+	 * falling through to string functions like `str_ends_with()` and `md5()`.
+	 *
+	 * @ticket 65015
+	 */
+	public function test_non_string_relative_path_filter_returns_false(): void {
+		$handle = 'test-non-string-relative-path';
+		$src    = '/wp-includes/js/script.js';
+
+		add_filter( 'load_script_textdomain_relative_path', '__return_null' );
+
+		wp_enqueue_script( $handle, $src, array(), null );
+
+		$this->assertFalse( load_script_textdomain( $handle, 'default', DIR_TESTDATA . '/languages' ) );
+	}
+
+	/**
+	 * Tests that a script source URL with no path component does not trigger
+	 * an undefined index warning when the path is read further down in the
+	 * function. The result is reached via the regular fallback path
+	 * (no host/path match) rather than an early return.
+	 *
+	 * @ticket 65015
+	 */
+	public function test_src_without_path_component_does_not_warn(): void {
+		$handle = 'test-src-without-path';
+		$src    = 'https://example.com';
+
+		$parsed = wp_parse_url( $src );
+		$this->assertIsArray( $parsed, 'Test prerequisite failed: the test src should parse.' );
+		$this->assertArrayNotHasKey( 'path', $parsed, 'Test prerequisite failed: the test src should have no path component.' );
+
+		wp_enqueue_script( $handle, $src, array(), null );
+
+		$this->assertFalse( load_script_textdomain( $handle, 'default', DIR_TESTDATA . '/languages' ) );
+	}
 }
