Opened 3 years ago
Last modified 3 years ago
#56165 new defect (bug)
Bogus query parameters force WordPress to drop query limit and exhausts memory
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.0 |
Component: | Query | Keywords: | |
Focuses: | Cc: |
Description
I noticed that a site was regularly getting out of memory errors at a URL that seems to be an attempt at "hacking" a Drupal site:
https://example.com/?q=user%2Fpassword&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=dir&debug
For some reason this causes WordPress to execute this query:
SELECT wp_posts.* FROM wp_posts WHERE 1=1 AND wp_posts.post_type = 'post' AND ((wp_posts.post_status = 'publish')) ORDER BY wp_posts.post_date DESC
You'll notice that there is no LIMIT
set, even though the site has a limit set by default and there are no plugins/filters to alter this.
On a site with a large number of posts this can easily cause memory issues (I noticed it during the update_meta_cache
function running after the query.
That URL is causing WordPress to execute this query:
WP_Query->query(Array ([name] => Array ([#post_render] => Array ([0] => passthru),[#type] => markup,[#markup] => dir)))
The name
parameter is supposed to be a string, so I'm not sure why it's affecting the query at all (PHP 7.4 does throw warning because WP tries to trim()
the value, PHP 8.1 throws error).
I haven't gotten far enough in to see why the query limit is dropped, but I imagine in any case this URL should result in either the homepage being displayed or a 404.
Here is a full backtrace:
#0 update_meta_cache(post, Array ([0] => 81102,[1] => 80934,[2] => 80927,...)) #1 update_postmeta_cache(Array ([0] => 81102,[1] => 80934,[2] => 80927,...)) #2 update_post_caches(Array ([0] => WP_Post Object ([ID] => 81102,[post_author] => 5,[post_date] => 2022-07-01 10:17:29,[post_date_gmt] => 2022-07-01 17:17:29,[post_content] => <!-- wp:paragraph --> #3 WP_Query->get_posts() called at [/wp-includes/class-wp-query.php:3586] #4 WP_Query->query(Array ([name] => Array ([#post_render] => Array ([0] => passthru),[#type] => markup,[#markup] => dir))) called at [/wp-includes/class-wp.php:648] #5 WP->query_posts() called at [/wp-includes/class-wp.php:775] #6 WP->main() called at [/wp-includes/functions.php:1330] #7 wp() called at [/wp-blog-header.php:16] #8 require(/wp-blog-header.php) called at [/index.php:4]
Hi there, welcome back to WordPress Trac! Thanks for the ticket.
Just noting that this seems related to #17737.