[wp-trac] [WordPress Trac] #63829: Sanitize return value of 'nonce_life' filters in wp_nonce_tick() to avoid DivisionByZeroError

WordPress Trac noreply at wordpress.org
Fri Aug 15 16:38:10 UTC 2025 

#63829: Sanitize return value of 'nonce_life' filters in wp_nonce_tick() to avoid
DivisionByZeroError
-------------------------+----------------------
 Reporter:  marian1      |       Owner:  (none)
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  General      |     Version:
 Severity:  normal       |  Resolution:  invalid
 Keywords:               |     Focuses:
-------------------------+----------------------

Comment (by marian1):

 === `$user === $developer` is not always `true` ===

 A user installing, for example, a plugin that registers such a filter
 callback (and with auto-updates enabled, this can happen without any
 action on their part) is not necessarily the developer of that plugin, nor
 the person contacted about the error. This situation could be handled much
 more gracefully by simply validating filters and logging any errors--
 particularly as a reasonable default value exists.

 The responsible developer could still be contacted by someone reviewing
 the logs, without causing panic for the user or leaving the site non-
 functional. At the end of the day, WordPress is not only used by people
 who do not know how to deal with, or even read, such an error, but is also
 marketed to them.

 === WordPress as a safeguard, not a bugfixer ===

 I am aware that this issue would be caused by a plugin or theme developer
 rather than by WordPress itself, which is why I have classified it as an
 enhancement rather than a bug.

 Aside from the unvalidated filters across the entire codebase, my
 impression was that WordPress’ approach is more of a "better safe than
 sorry" policy. Perhaps my impression of WordPress’ role is mistaken--
 namely, that as such a heavily used platform with a massive number of
 themes and plugins, it also sees itself as a safeguard for users against
 developer errors. I read practices such as type-checking function
 arguments and validating or sanitising some filters as an indication of
 that.

 === Skip reporting similar issues? ===

 That said, I can live with WordPress not taking on this role. Am I correct
 in assuming that I can skip reporting any other issues of the same nature?

 Apologies if this has already been discussed--for someone not involved in
 WordPress core development, it can be a little overwhelming to figure
 where to find such information.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63829#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list