WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#3891 closed defect (bug) (fixed)

Multiple errors when passing some query variables as an a array(Only with Register Globals ON)

Reported by: g30rg3x Owned by: markjaquith
Milestone: 2.1.3 Priority: normal
Severity: normal Version: 2.1
Component: General Keywords: m, cat, array, register globals, has-patch
Focuses: Cc:

Description

As readed on SecurityFocus BugTraq Mailing List:
http://www.securityfocus.com/archive/1/456731

There is a defect when passing "m" as an a array, example:
http://host/?m[]=


Also i found that "cat" has the same bug like "m" value but only disclouses a error in function urldecode():
http://host/?cat[]=


This bug/defect only works if "Register Globals" directive on PHP is turned ON.
I Think this patch is a temporary solution to the problem and also i think it could be solved in other area.

Other live examples:
http://alexking.org/?m[]=
http://boren.nu/?m[]=
http://dougal.gunters.org/?cat[]=

Attachments (3)

m_and_cat_problem_with_array_and_PHPGLOBAL.patch (1.6 KB) - added by g30rg3x 10 years ago.
Temporary Solution
query.php.diff (1.0 KB) - added by g30rg3x 10 years ago.
More General Fix and Possibly a Better Solution to the Defect.
cast_qvs_to_string.diff (487 bytes) - added by markjaquith 10 years ago.
cast to string

Download all attachments as: .zip

Change History (13)

#1 follow-up: @markjaquith
10 years ago

Maybe we should just cast all QVs to strings early on. None of them, to my knowledge, support arrays anyway. They're all comma separated (the ones that accept multiple values)

#2 in reply to: ↑ 1 @g30rg3x
10 years ago

Replying to markjaquith:
You are right..., it has more defects like this in other query vars, now i am researching more defects like this and probably upload a new general fix for this problem...

@g30rg3x
10 years ago

More General Fix and Possibly a Better Solution to the Defect.

#3 @g30rg3x
10 years ago

  • Summary changed from Multiple Errors When passing as an array variables "m" and "cat" (Only with PHP Register Globals ON) to Multiple errors when passing some query variables as an a array(Only with Register Globals ON)

Update
This new title explains better the problem, because not only "m" and "cat" have the same problem with an arrays, also variables "subpost", "attachment", "name", "pagename", "category_name", "feed", "tb" and "comments_popup", in fact most of the variables in the array $keys inside the function "fill_query_vars".
Also the variable "s" seems to be partially (or non) affected, passing "s" as an a array will make display the resource identifier "Array", but i dont see a real problem here.

This new solution i think is better than previous but i still thinking that there is another way to fix this problem, because "cat" variable its not un $keys array and need to be fixed alone like the previous patch that i deliver as temporary solution.

@markjaquith
10 years ago

cast to string

#4 follow-up: @markjaquith
10 years ago

  • Keywords has-patch added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

Uploaded my solution. Simply: cast to string when going through the public_query_vars.

#5 in reply to: ↑ 4 @g30rg3x
10 years ago

Replying to markjaquith:

Woah, its and quite amazing simply solution, but it has a little problem the function wp_title() in "general-template.php" takes the query value in raw and we can still see in the title Arra, needs a little more.

#6 follow-up: @markjaquith
10 years ago

g30rg3x,

What URL did you use to get wp_title() to show "Arra" ?

#8 @g30rg3x
10 years ago

  • Keywords changed from m, cat, array, register globals has-patch to m, cat, array, register globals, has-patch

markjaquith: The bugs in wp_title() function, has more implications in the security but its no more related to this bug, i will open a new ticket for resolving that problem...
Consider fixed this ticket...

#9 @markjaquith
10 years ago

(In [4965]) Cast query vars to strings. fixes #3891

That fixes it for trunk. I'll hold off on fixing it for 2.1.3 until it has been in trunk for a few days.

#10 @markjaquith
10 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [4991]) Cast query vars to strings. fixes #3891

Note: See TracTickets for help on using tickets.