Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#44652 closed defect (bug) (duplicate)

Lack of proper type checking in parse_query leads to PHP warnings

Reported by: sfasfsafds's profile sfasfsafds Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.7
Component: Query Keywords: has-patch
Focuses: Cc:

Description

A URL has been used to trigger errors on our site. You can use the following URL (just replace the domain with that of a WordPress site) to trigger the error. If you logged in as Admin you can see the following warnings.

http://www.domain.com/?name%5b%2523markup%5d=echo%2520-n%2520%2527ZWNobyBwb25pZXM%253D%2527%2520%257C%2520base64%2520-d%2520%257C%2520bash&name%5b%2523post_render%5d%5b0%5d=passthru&q=/user/password

Notice: Array to string conversion in /var/www/html/wp-includes/class-wp.php
Warning: trim() expects parameter 1 to be string, array given in /var/www/html/wp-includes/class-wp-query.php

Attachments (1)

44652.diff (996 bytes) - added by arcturusink 6 years ago.
Patch for ticket 44652

Download all attachments as: .zip

Change History (6)

#1 @chriscct7
6 years ago

  • Component changed from Security to Query
  • Keywords good-first-bug added
  • Version changed from 4.9.7 to 2.7

In wp-includes/class-wp-query.php, the function parse_query does not validate the datatype of several variables, in this example URL, name, prior to running trim() on it, which requires a string (or castable) datatype. As an array is not non-overloaded castable to string in PHP, a PHP warning will be thrown as the first parameter of trim() requires a string.

There's a couple sections in here where an is_string check could be run, and if the comparison fails cast it to an empty string (discard). For example:

$qv['pagename'] = trim( $qv['pagename'] );
$qv['name']     = trim( $qv['name'] );
$qv['title']    = trim( $qv['title'] );

could be

$qv['pagename'] = is_string( $qv['pagename'] ) ? trim( $qv['pagename'] ) : '';
$qv['name']     = is_string( $qv['name']     ) ? trim( $qv['name'] )     : '';
$qv['title']    = is_string( $qv['title']    ) ? trim( $qv['title'] )    : '';

This makes for a good-first-bug, as the changes required are simple and contained, and provides a good, easy bug to provide PHP unit tests for.

The bug for pagename and name using trim without type checking was introduced in #7537.
The bug for title was introduced on addition in #33074.

As a result, the bug has existing since the merge of [8667] in WordPress 2.7.

#2 @chriscct7
6 years ago

  • Summary changed from URL Hash Vulnerability to Lack of proper type checking in parse_query leads to PHP warnings

@arcturusink
6 years ago

Patch for ticket 44652

#3 @arcturusink
6 years ago

  • Keywords has-patch added; needs-patch removed

#4 @arcturusink
6 years ago

I have made the suggested changes.

Please, let me know of any further thoughts/feedback.

Thanks, arcturusink.

#5 @SergeyBiryukov
6 years ago

  • Keywords good-first-bug removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @sfasfsafds, welcome to WordPress Trac!

Thanks for the report, we're already tracking this issue in #17737.

@arcturusink, thanks for the patch! Could you please upload it to #17737?

Note: See TracTickets for help on using tickets.