WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 weeks ago

#16097 closed defect (bug) (wontfix)

wordpress and float error causes server to exceed resources

Reported by: fristopher Owned by:
Milestone: Priority: normal
Severity: critical Version:
Component: General Keywords:
Focuses: Cc:

Description

as seen here

http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/

would work for http://domain.com/?orderby=2.2250738585072011e-308

I know this is a php bug, but it happens to wordpress sites, and could be used as a denial of service, if people keep making requests.

Attachments (1)

php-floating-point-dos-attack-workaround.php (655 bytes) - added by SergeyBiryukov 3 years ago.

Download all attachments as: .zip

Change History (12)

comment:2 fristopher3 years ago

here is the error it produces

Fatal error: Maximum execution time of 30 seconds exceeded in /wp-includes/query.php on line 2194

comment:3 nacin3 years ago

  • Milestone changed from Awaiting Review to 3.1

We've been looking into this since last night, thanks.

It would be nice if reports that are vulnerabilities in nature get reported to security@… in the future. Thanks.

comment:4 ryan3 years ago

If this triggers when we check a value against a white list as part of our input sanitization, this is gonna be no fun to fix.

comment:5 nacin3 years ago

  • Version 3.0.4 deleted

This has been fixed upstream. There is very little we can do here. Line 2194 is:

	if ( ! in_array($orderby, $allowed_keys) )

If we can't do that, I'm not sure there's much we can do to sanitize this in userland. The fix was one word upstream, but could be a significant amount of code downstream.

comment:6 jane3 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

Per IRC chat 11/5/2011, closing wontfix. Not under our control. Plan is to contact PHP guys to see if there's anything we should do, contact major hosts to make sure they're aware of it, post on WP blogs to warn users.

comment:7 SergeyBiryukov3 years ago

Turned the code by AirCraft24.com into a plugin which also handles:

  • Different decimal point placement: 222.50738585072011e-310
  • Trailing zeroes: 2.22507385850720110e-308
  • Capital exponent sign

comment:8 kcristiano3 years ago

I just placed this in the wp-content/mu-plugins folder on 6 tests sites and this fixes the problem perfectly.

I tested on CentOS 5.5 with php 5.3.3 and IIS 7 with php 5.3.3. Both were affected prior to using the plugin, both are fine now. I used Wordpress 3.0.4 and 3.1-RC2 for testing.

Thanks for turning the code in a plugin.

comment:9 SergeyBiryukov3 years ago

Made a request on the Plugin Directory.

comment:10 SergeyBiryukov3 years ago

The plugin is now available in the Plugin Directory.

I've added array handling in the development version. Would appreciate feedback.

Version 0, edited 3 years ago by SergeyBiryukov (next)

comment:11 SergeyBiryukov3 weeks ago

  • Milestone 3.1 deleted
Note: See TracTickets for help on using tickets.