id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
17737	Be better at forcing data types for query vars	juliobox		"I already email this flaw to security@wordpress.org but Andrew Nacin told me that this is not a WordPress flaw, but php server config flaw. So i post this here now.[[BR]]

----

''Exploit'' : http://WEBSITE.COM/?author[]=1 [[BR]]
''Problem'' : FPD (https://www.owasp.org/index.php/Full_Path_Disclosure) [[BR]]
''Solution'' : Add this ""@ini_set('display_errors', 0);"" or this ""error_reporting(0);"" in the end of wp-config.php file. [[BR]]
''Patch'' : [[BR]]
1) wp-includes/query.php line 2239 [[BR]]
Replace
{{{
$q['author'] = (string)urldecode($q['author']);
}}}
by
{{{
if ( is_array( $q['author'] ) ) {
$q['author'] = $q['author'][0];
}
$q['author'] = (string)urldecode($q['author']);
}}}

2) wp-includes/canonical.php line 142 [[BR]]
Replace 
{{{
} elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', $_GET['author'] ) ) {
}}}
by
{{{
} elseif ( is_author() && !empty($_GET['author']) && preg_match( '|^[0-9]+$|', !is_array($_GET['author']) ? $_GET['author'] : $_GET['author'][0] ) ) {
}}}
[[BR]]
'''Julio''' - [http://www.boiteaweb.fr]"	defect (bug)	new	normal	Future Release	Query	3.0	normal		has-patch