Opened 6 years ago
Closed 6 years ago
#44652 closed defect (bug) (duplicate)
Lack of proper type checking in parse_query leads to PHP warnings
Reported by: | sfasfsafds | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.7 |
Component: | Query | Keywords: | has-patch |
Focuses: | Cc: |
Description
A URL has been used to trigger errors on our site. You can use the following URL (just replace the domain with that of a WordPress site) to trigger the error. If you logged in as Admin you can see the following warnings.
Notice: Array to string conversion in /var/www/html/wp-includes/class-wp.php
Warning: trim() expects parameter 1 to be string, array given in /var/www/html/wp-includes/class-wp-query.php
Attachments (1)
Change History (6)
#1
@
6 years ago
- Component changed from Security to Query
- Keywords good-first-bug added
- Version changed from 4.9.7 to 2.7
#2
@
6 years ago
- Summary changed from URL Hash Vulnerability to Lack of proper type checking in parse_query leads to PHP warnings
#4
@
6 years ago
I have made the suggested changes.
Please, let me know of any further thoughts/feedback.
Thanks, arcturusink.
Note: See
TracTickets for help on using
tickets.
In
wp-includes/class-wp-query.php
, the functionparse_query
does not validate the datatype of several variables, in this example URL,name
, prior to runningtrim()
on it, which requires a string (or castable) datatype. As an array is not non-overloaded castable to string in PHP, a PHP warning will be thrown as the first parameter oftrim()
requires a string.There's a couple sections in here where an
is_string
check could be run, and if the comparison fails cast it to an empty string (discard). For example:$qv['pagename'] = trim( $qv['pagename'] ); $qv['name'] = trim( $qv['name'] ); $qv['title'] = trim( $qv['title'] );
could be
$qv['pagename'] = is_string( $qv['pagename'] ) ? trim( $qv['pagename'] ) : ''; $qv['name'] = is_string( $qv['name'] ) ? trim( $qv['name'] ) : ''; $qv['title'] = is_string( $qv['title'] ) ? trim( $qv['title'] ) : '';
This makes for a good-first-bug, as the changes required are simple and contained, and provides a good, easy bug to provide PHP unit tests for.
The bug for pagename and name using trim without type checking was introduced in #7537.
The bug for title was introduced on addition in #33074.
As a result, the bug has existing since the merge of [8667] in WordPress 2.7.