Make WordPress Core

Opened 23 months ago

Last modified 23 months ago

#56165 new defect (bug)

Bogus query parameters force WordPress to drop query limit and exhausts memory

Reported by: coreyw's profile coreyw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.0
Component: Query Keywords:
Focuses: Cc:

Description

I noticed that a site was regularly getting out of memory errors at a URL that seems to be an attempt at "hacking" a Drupal site:

https://example.com/?q=user%2Fpassword&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=dir&debug

For some reason this causes WordPress to execute this query:

SELECT   wp_posts.* FROM wp_posts  WHERE 1=1  AND wp_posts.post_type = 'post' AND ((wp_posts.post_status = 'publish'))  ORDER BY wp_posts.post_date DESC 

You'll notice that there is no LIMIT set, even though the site has a limit set by default and there are no plugins/filters to alter this.

On a site with a large number of posts this can easily cause memory issues (I noticed it during the update_meta_cache function running after the query.

That URL is causing WordPress to execute this query:

WP_Query->query(Array ([name] => Array ([#post_render] => Array ([0] => passthru),[#type] => markup,[#markup] => dir)))

The name parameter is supposed to be a string, so I'm not sure why it's affecting the query at all (PHP 7.4 does throw warning because WP tries to trim() the value, PHP 8.1 throws error).

I haven't gotten far enough in to see why the query limit is dropped, but I imagine in any case this URL should result in either the homepage being displayed or a 404.

Here is a full backtrace:

#0  update_meta_cache(post, Array ([0] => 81102,[1] => 80934,[2] => 80927,...))
#1  update_postmeta_cache(Array ([0] => 81102,[1] => 80934,[2] => 80927,...))
#2  update_post_caches(Array ([0] => WP_Post Object ([ID] => 81102,[post_author] => 5,[post_date] => 2022-07-01 10:17:29,[post_date_gmt] => 2022-07-01 17:17:29,[post_content] => <!-- wp:paragraph -->
#3  WP_Query->get_posts() called at [/wp-includes/class-wp-query.php:3586]
#4  WP_Query->query(Array ([name] => Array ([#post_render] => Array ([0] => passthru),[#type] => markup,[#markup] => dir))) called at [/wp-includes/class-wp.php:648]
#5  WP->query_posts() called at [/wp-includes/class-wp.php:775]
#6  WP->main() called at [/wp-includes/functions.php:1330]
#7  wp() called at [/wp-blog-header.php:16]
#8  require(/wp-blog-header.php) called at [/index.php:4]

Change History (1)

#1 @SergeyBiryukov
23 months ago

Hi there, welcome back to WordPress Trac! Thanks for the ticket.

Just noting that this seems related to #17737.

Note: See TracTickets for help on using tickets.