WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#3891 closed defect (bug) (fixed)

Multiple errors when passing some query variables as an a array(Only with Register Globals ON)

Reported by: g30rg3x Owned by: markjaquith
Milestone: 2.1.3 Priority: normal
Severity: normal Version: 2.1
Component: General Keywords: m, cat, array, register globals, has-patch
Focuses: Cc:

Description

As readed on SecurityFocus BugTraq Mailing List:
http://www.securityfocus.com/archive/1/456731

There is a defect when passing "m" as an a array, example:
http://host/?m[]=


Also i found that "cat" has the same bug like "m" value but only disclouses a error in function urldecode():
http://host/?cat[]=


This bug/defect only works if "Register Globals" directive on PHP is turned ON.
I Think this patch is a temporary solution to the problem and also i think it could be solved in other area.

Other live examples:
http://alexking.org/?m[]=
http://boren.nu/?m[]=
http://dougal.gunters.org/?cat[]=

Attachments (3)

m_and_cat_problem_with_array_and_PHPGLOBAL.patch (1.6 KB) - added by g30rg3x 8 years ago.
Temporary Solution
query.php.diff (1.0 KB) - added by g30rg3x 8 years ago.
More General Fix and Possibly a Better Solution to the Defect.
cast_qvs_to_string.diff (487 bytes) - added by markjaquith 8 years ago.
cast to string

Download all attachments as: .zip

Change History (13)

@g30rg3x8 years ago

Temporary Solution

comment:1 follow-up: @markjaquith8 years ago

Maybe we should just cast all QVs to strings early on. None of them, to my knowledge, support arrays anyway. They're all comma separated (the ones that accept multiple values)

comment:2 in reply to: ↑ 1 @g30rg3x8 years ago

Replying to markjaquith:
You are right..., it has more defects like this in other query vars, now i am researching more defects like this and probably upload a new general fix for this problem...

@g30rg3x8 years ago

More General Fix and Possibly a Better Solution to the Defect.

comment:3 @g30rg3x8 years ago

  • Summary changed from Multiple Errors When passing as an array variables "m" and "cat" (Only with PHP Register Globals ON) to Multiple errors when passing some query variables as an a array(Only with Register Globals ON)

Update
This new title explains better the problem, because not only "m" and "cat" have the same problem with an arrays, also variables "subpost", "attachment", "name", "pagename", "category_name", "feed", "tb" and "comments_popup", in fact most of the variables in the array $keys inside the function "fill_query_vars".
Also the variable "s" seems to be partially (or non) affected, passing "s" as an a array will make display the resource identifier "Array", but i dont see a real problem here.

This new solution i think is better than previous but i still thinking that there is another way to fix this problem, because "cat" variable its not un $keys array and need to be fixed alone like the previous patch that i deliver as temporary solution.

@markjaquith8 years ago

cast to string

comment:4 follow-up: @markjaquith8 years ago

  • Keywords has-patch added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

Uploaded my solution. Simply: cast to string when going through the public_query_vars.

comment:5 in reply to: ↑ 4 @g30rg3x8 years ago

Replying to markjaquith:

Woah, its and quite amazing simply solution, but it has a little problem the function wp_title() in "general-template.php" takes the query value in raw and we can still see in the title Arra, needs a little more.

comment:6 follow-up: @markjaquith8 years ago

g30rg3x,

What URL did you use to get wp_title() to show "Arra" ?

comment:8 @g30rg3x8 years ago

  • Keywords changed from m, cat, array, register globals has-patch to m, cat, array, register globals, has-patch

markjaquith: The bugs in wp_title() function, has more implications in the security but its no more related to this bug, i will open a new ticket for resolving that problem...
Consider fixed this ticket...

comment:9 @markjaquith8 years ago

(In [4965]) Cast query vars to strings. fixes #3891

That fixes it for trunk. I'll hold off on fixing it for 2.1.3 until it has been in trunk for a few days.

comment:10 @markjaquith8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [4991]) Cast query vars to strings. fixes #3891

Note: See TracTickets for help on using tickets.