Opened 19 years ago
Closed 19 years ago
#3891 closed defect (bug) (fixed)
Multiple errors when passing some query variables as an a array(Only with Register Globals ON)
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 2.1.3 | Priority: | normal |
| Severity: | normal | Version: | 2.1 |
| Component: | General | Keywords: | m, cat, array, register globals, has-patch |
| Focuses: | Cc: |
Description
As readed on SecurityFocus BugTraq Mailing List:
http://www.securityfocus.com/archive/1/456731
There is a defect when passing "m" as an a array, example:
http://host/?m[]=
Also i found that "cat" has the same bug like "m" value but only disclouses a error in function urldecode():
http://host/?cat[]=
This bug/defect only works if "Register Globals" directive on PHP is turned ON.
I Think this patch is a temporary solution to the problem and also i think it could be solved in other area.
Other live examples:
http://alexking.org/?m[]=
http://boren.nu/?m[]=
http://dougal.gunters.org/?cat[]=
Attachments (3)
Change History (13)
#1
follow-up:
↓ 2
@
19 years ago
Maybe we should just cast all QVs to strings early on. None of them, to my knowledge, support arrays anyway. They're all comma separated (the ones that accept multiple values)
#2
in reply to:
↑ 1
@
19 years ago
Replying to markjaquith:
You are right..., it has more defects like this in other query vars, now i am researching more defects like this and probably upload a new general fix for this problem...
#3
@
19 years ago
- Summary changed from Multiple Errors When passing as an array variables "m" and "cat" (Only with PHP Register Globals ON) to Multiple errors when passing some query variables as an a array(Only with Register Globals ON)
Update
This new title explains better the problem, because not only "m" and "cat" have the same problem with an arrays, also variables "subpost", "attachment", "name", "pagename", "category_name", "feed", "tb" and "comments_popup", in fact most of the variables in the array $keys inside the function "fill_query_vars".
Also the variable "s" seems to be partially (or non) affected, passing "s" as an a array will make display the resource identifier "Array", but i dont see a real problem here.
This new solution i think is better than previous but i still thinking that there is another way to fix this problem, because "cat" variable its not un $keys array and need to be fixed alone like the previous patch that i deliver as temporary solution.
#4
follow-up:
↓ 5
@
19 years ago
- Keywords has-patch added
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned
Uploaded my solution. Simply: cast to string when going through the public_query_vars.
#5
in reply to:
↑ 4
@
19 years ago
Replying to markjaquith:
Woah, its and quite amazing simply solution, but it has a little problem the function wp_title() in "general-template.php" takes the query value in raw and we can still see in the title Arra, needs a little more.
#7
in reply to:
↑ 6
@
19 years ago
Replying to markjaquith:
http://host/?m[]=
and
http://host/?year[]=
#8
@
19 years ago
- Keywords changed from m, cat, array, register globals has-patch to m, cat, array, register globals, has-patch
markjaquith: The bugs in wp_title() function, has more implications in the security but its no more related to this bug, i will open a new ticket for resolving that problem...
Consider fixed this ticket...
Temporary Solution