Ticket #3891 (closed defect (bug): fixed)
Multiple errors when passing some query variables as an a array(Only with Register Globals ON)
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 2.1.3 |
| Component: | General | Version: | 2.1 |
| Severity: | normal | Keywords: | m, cat, array, register globals, has-patch |
| Cc: |
Description
As readed on SecurityFocus BugTraq Mailing List:
http://www.securityfocus.com/archive/1/456731
There is a defect when passing "m" as an a array, example:
http://host/?m[]=
Also i found that "cat" has the same bug like "m" value but only disclouses a error in function urldecode():
http://host/?cat[]=
This bug/defect only works if "Register Globals" directive on PHP is turned ON.
I Think this patch is a temporary solution to the problem and also i think it could be solved in other area.
Other live examples:
http://alexking.org/?m[]=
http://boren.nu/?m[]=
http://dougal.gunters.org/?cat[]=
Attachments
-
m_and_cat_problem_with_array_and_PHPGLOBAL.patch
(1.6 KB) -
added by g30rg3x 5 years ago.
- Temporary Solution
-
query.php.diff
(1.0 KB) -
added by g30rg3x 5 years ago.
- More General Fix and Possibly a Better Solution to the Defect.
-
cast_qvs_to_string.diff
(487 bytes) -
added by markjaquith 5 years ago.
- cast to string
Change History
-
attachment
m_and_cat_problem_with_array_and_PHPGLOBAL.patch
added
comment:1
follow-up:
↓ 2
markjaquith — 5 years ago
Maybe we should just cast all QVs to strings early on. None of them, to my knowledge, support arrays anyway. They're all comma separated (the ones that accept multiple values)
Replying to markjaquith: You are right..., it has more defects like this in other query vars, now i am researching more defects like this and probably upload a new general fix for this problem...
-
attachment
query.php.diff
added
More General Fix and Possibly a Better Solution to the Defect.
- Summary changed from Multiple Errors When passing as an array variables "m" and "cat" (Only with PHP Register Globals ON) to Multiple errors when passing some query variables as an a array(Only with Register Globals ON)
Update
This new title explains better the problem, because not only "m" and "cat" have the same problem with an arrays, also variables "subpost", "attachment", "name", "pagename", "category_name", "feed", "tb" and "comments_popup", in fact most of the variables in the array $keys inside the function "fill_query_vars".
Also the variable "s" seems to be partially (or non) affected, passing "s" as an a array will make display the resource identifier "Array", but i dont see a real problem here.
This new solution i think is better than previous but i still thinking that there is another way to fix this problem, because "cat" variable its not un $keys array and need to be fixed alone like the previous patch that i deliver as temporary solution.
comment:4
follow-up:
↓ 5
markjaquith — 5 years ago
- Keywords has-patch added
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned
Uploaded my solution. Simply: cast to string when going through the public_query_vars.
Replying to markjaquith:
Woah, its and quite amazing simply solution, but it has a little problem the function wp_title() in "general-template.php" takes the query value in raw and we can still see in the title Arra, needs a little more.
comment:6
follow-up:
↓ 7
markjaquith — 5 years ago
g30rg3x,
What URL did you use to get wp_title() to show "Arra" ?
Replying to markjaquith:
http://host/?m[]=
and
http://host/?year[]=
- Keywords globals, added; globals removed
markjaquith: The bugs in wp_title() function, has more implications in the security but its no more related to this bug, i will open a new ticket for resolving that problem...
Consider fixed this ticket...
comment:9
markjaquith — 5 years ago
comment:10
markjaquith — 5 years ago
- Status changed from assigned to closed
- Resolution set to fixed
Temporary Solution