search

Automattic / woocommerce-subscriptions-core

Subscriptions core package for WooCommerce
Other
87 stars 33 forks source link

Missing is_callable() check during output of shipping/billing address in subscription meta box #401

Closed dennisnissle closed 1 year ago

dennisnissle commented 1 year ago

Describe the bug

In the WCS_Meta_Box_Subscription_Data class for each billing (and shipping) field the value is obtained the following way:

$field['value'] = $subscription->{"get_billing_$key"}();

and

$field['value'] = $subscription->{"get_shipping_$key"}();

This will result in a fatal error for custom shipping/billing fields added by third party developers. That's why the is_callable() check is added in the same file while constructing the address display values, e.g.:

$function_name = 'get_billing_' . $key;

if ( is_callable( array( $subscription, $function_name ) ) ) {
    $field_value = $subscription->$function_name( 'edit' );
} else {
    $field_value = $subscription->get_meta( '_billing_' . $key );
}

The same check is needed for line 216 and 306. This is a serious bug which will lead to many user complaints.

To Reproduce

Register a custom shipping field:

add_filter( 'woocommerce_admin_billing_fields', function( $fields ) {
    $fields['my_custom_field'] = array(
        'label' => 'My custom field'
    );

    return $fields;
}, 0 );

Navigate to WooCommerce > Subscriptions and select a subscription - fatal error occurs.

Expected behavior

Use is_callable() before calling order/subscription methods.

Product impact

mattallan commented 1 year ago

Thanks @dennisnissle for the details report, we've got a fix for this issue here: https://github.com/Automattic/woocommerce-subscriptions-core/pull/403