Media: Guard gutenberg_delete_heic_companion_file() against non-string $metadata['original']

[lancewillett]

What?

Closes #78127.

Adds an is_string() guard to gutenberg_delete_heic_companion_file() so it bails on attachments whose wp_get_attachment_metadata()['original'] is not a string filename.

Why?

The function is hooked to delete_attachment for all attachment types and assumes $metadata['original'] is a string (the HEIC sideload's companion filename). Other attachment types — or any plugin filtering wp_get_attachment_metadata — may legitimately put a non-string value (commonly an array) at the original key.

The existing empty() check passes for a non-empty array, so the bad value reaches path_join() -> path_is_absolute() -> wp_is_stream() -> strpos(), which throws:

Uncaught TypeError: strpos(): Argument #1 ($haystack) must be of type string, array given

Full repro and stack trace in #78127.

How?

Extends the early bail to require is_string( $metadata['original'] ). One-line change.

Testing Instructions

1. Apply this PR.
2. Add the filter from gutenberg_delete_heic_companion_file() fatals when $metadata['original'] is not a string #78127:

   add_filter( 'wp_get_attachment_metadata', function ( $data ) {
       return array_merge( (array) $data, [ 'original' => [ 'foo' => 'bar' ] ] );
   } );

3. Delete an attachment: wp_delete_attachment( $id, true );

• Before: TypeError from strpos() inside gutenberg_delete_heic_companion_file().
• After: silent no-op for non-string original; HEIC cleanup unaffected when original is a string filename.

Testing Instructions for Keyboard

N/A — server-side fix, no UI.

Screenshots or screencast

N/A — server-side fix, no UI.

Use of AI Tools

AI-assisted analysis identified the type-safety gap and drafted the one-line guard. The author reviewed the diff, repro, and PR body before submitting.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: lancewillett <lancewillett@git.wordpress.org>
Co-authored-by: mikachan <mikachan@git.wordpress.org>
Co-authored-by: ramonjd <ramonopoly@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[github-actions]

Flaky tests detected in d7df117.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/25687914524
📝 Reported issues:

• [Flaky Test] should move focus back to the Publish panel toggle button when canceling #77721 in /test/e2e/specs/editor/various/publish-panel.spec.js

[mikachan]

This change looks good to me, thank you!

I've also updated the related backport changelog file to allow the checks to pass on this PR.

[ramonjd]

LGTM I'll merge this and provide an update on WordPress/wordpress-develop#11323