From 9086cb5a2758bb337187b4b5376a674511f8a3ef Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Tue, 17 Mar 2026 11:06:42 +0100
Subject: [PATCH] Fix `messageID=0` in message embedded objects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The “messageID” has not been validated, which may have resulted in orphaned entries in existing installations.
---
 .../acp/update_com.woltlab.wcf_6.3_embeddedObjects.php    | 8 ++++++++
 .../object/MessageEmbeddedObjectManager.class.php         | 8 ++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 wcfsetup/install/files/acp/update_com.woltlab.wcf_6.3_embeddedObjects.php

diff --git a/wcfsetup/install/files/acp/update_com.woltlab.wcf_6.3_embeddedObjects.php b/wcfsetup/install/files/acp/update_com.woltlab.wcf_6.3_embeddedObjects.php
new file mode 100644
index 00000000000..910b324c1c4
--- /dev/null
+++ b/wcfsetup/install/files/acp/update_com.woltlab.wcf_6.3_embeddedObjects.php
@@ -0,0 +1,8 @@
+<?php
+
+use wcf\system\WCF;
+
+// Remove orphaned entries associated with `messageID=0`.
+$sql = "DELETE FROM wcf1_message_embedded_object WHERE messageID = ?";
+$statement = WCF::getDB()->prepare($sql);
+$statement->execute([0]);
diff --git a/wcfsetup/install/files/lib/system/message/embedded/object/MessageEmbeddedObjectManager.class.php b/wcfsetup/install/files/lib/system/message/embedded/object/MessageEmbeddedObjectManager.class.php
index ab6ea9d9699..7ff27c81b28 100644
--- a/wcfsetup/install/files/lib/system/message/embedded/object/MessageEmbeddedObjectManager.class.php
+++ b/wcfsetup/install/files/lib/system/message/embedded/object/MessageEmbeddedObjectManager.class.php
@@ -100,6 +100,10 @@ public function registerObjects(HtmlInputProcessor $htmlInputProcessor, $isBulk
         $messageObjectTypeID = $context['objectTypeID'];
         $messageID = $context['objectID'];
 
+        if (!$messageID) {
+            throw new \BadMethodCallException("No 'messageID' was set.");
+        }
+
         // delete existing assignments
         if ($removeExistingObjects) {
             if ($isBulk) {
@@ -195,6 +199,10 @@ public function commitBulkOperation()
      */
     public function registerSimpleObjects($messageObjectType, $messageID, array $embeddedContent)
     {
+        if (!$messageID) {
+            throw new \BadMethodCallException("No 'messageID' was given.");
+        }
+
         $messageObjectTypeID = ObjectTypeCache::getInstance()
             ->getObjectTypeIDByName('com.woltlab.wcf.message', $messageObjectType);