Make WordPress Core

Opened 2 years ago

Closed 20 months ago

Last modified 20 months ago

#56850 closed defect (bug) (fixed)

PHP 8.1 deprecation notices from wp_signon() with default parameters

Reported by: lenasterg's profile lenasterg Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.2 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: has-patch php81 has-unit-tests commit
Focuses: Cc:

Description

This fixes a
PHP Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated in wp-includes\pluggable.php on line 598

Attachments (1)

56850.diff (1.7 KB) - added by SergeyBiryukov 2 years ago.

Download all attachments as: .zip

Change History (21)

#1 in reply to: ↑ description @lenasterg
2 years ago

Replying to lenasterg:

This fixes a
PHP Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated in wp-includes\pluggable.php on line 598

Pull request with the fix is the

https://github.com/WordPress/wordpress-develop/pull/3491

This ticket was mentioned in PR #3491 on WordPress/wordpress-develop by @lenasterg.


2 years ago
#2

Fix for PHP Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated in app\wp-includes\pluggable.php on line 598

Trac ticket: [](https://core.trac.wordpress.org/ticket/56850)

#3 @TobiasBg
2 years ago

Hi @lenasterg,

thanks for looking into this!

When getting this deprecation warning, can you see where that null value is coming from?
A password should only ever be a string, so it might make more sense to add a fix to the calling function.
With the suggested is_string() check, the issue is essentially just shifted further down, when the next operation on the still-null $password happens -- but then this check might just make debugging and finding the origin a bit harder.

#5 @lenasterg
2 years ago

Hi @TobiasBg

The null comes from https://core.trac.wordpress.org/browser/trunk/src/wp-includes/user.php#L95 from inside the function wp_signon.
The line 95

$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );

where both $credentials['user_login'], &$credentials['user_password'] are NULL when a user access the wp-login.php page for first time.

The wp_signon function is called in https://core.trac.wordpress.org/browser/trunk/src/wp-login.php#L1231 with an empty array as $credentials argument.
Line 1231 is:
$user = wp_signon( array(), $secure_cookie );


#6 @SergeyBiryukov
2 years ago

  • Keywords php81 added

#7 @TobiasBg
2 years ago

Thanks for the background on this, @lenasterg!

I'm not sure why the login form, needs to pass empty arguments here, but I assume that it would be "too late" to change this anyways, for backwards compatibility reasons (as the filter hooks that run during the request) might be overriding the calls to perform some custom authentication.
Your proposed changes do make sense, therefore.

It might be worth updating the function's docblock then as well, to clarify that null is a possible parameter value/type.

@SergeyBiryukov
2 years ago

#8 @SergeyBiryukov
2 years ago

  • Milestone changed from Awaiting Review to 6.2
  • Summary changed from pluggable.php - Deprecated errors on PHP 8.1 to PHP 8.1 deprecation notices from wp_signon() with default parameters

Thanks for the ticket! I was able to reproduce the issue.

  • It looks like there are actually two deprecation notices here:
    • One from preg_replace() in wp_strip_all_tags() via sanitize_user() in wp_authenticate():
      Deprecated: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated
      
    • One from trim() in wp_authenticate() itself:
      Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated
      
  • The $credentials['user_login'] and $credentials['user_password'] parameters are passed by reference to the wp_authenticate action, and this is where they are created as `null` if they don't exist.
  • Since the parameters are documented as strings in various places (wp_authenticate action, secure_signon_cookie filter, wp_authenticate() function, authenticate filter, etc.) is seems like a bug that they are created as null instead of an empty string. Documenting null as a possible value does not seem ideal, as it forces plugins to deal with the issue on their own instead of fixing it at the source.

I believe the correct solution would be to create these parameters as an empty string instead, along the lines of similar fixes in [54351] and [54368]. See 56850.diff, which also includes a unit test.

Last edited 2 years ago by SergeyBiryukov (previous) (diff)

This ticket was mentioned in PR #3499 on WordPress/wordpress-develop by @SergeyBiryukov.


2 years ago
#9

  • Keywords has-unit-tests added

#11 @SergeyBiryukov
2 years ago

  • Owner set to SergeyBiryukov
  • Status changed from new to accepted

#12 @SergeyBiryukov
21 months ago

#57458 was marked as a duplicate.

#13 @ocean90
21 months ago

#57605 was marked as a duplicate.

#14 @afragen
21 months ago

What more needs to be done on this ticket to move it forward?

I can confirm that @SergeyBiryukov's PR fixes the issue.

This ticket was mentioned in Slack in #core by ipajen. View the logs.


20 months ago

This ticket was mentioned in Slack in #core by ipajen. View the logs.


20 months ago

#17 @SergeyBiryukov
20 months ago

  • Keywords commit added

#18 @SergeyBiryukov
20 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 55301:

Login and Registration: Set correct default values in wp_signon().

The $credentials['user_login'] and $credentials['user_password'] parameters are passed by reference to the wp_authenticate action, and are at that point created as null if they don't exist in the array.

This commit sets those values to an empty string, resolving two PHP 8.1 deprecation notices:

  • One from preg_replace() in wp_strip_all_tags() via sanitize_user() in wp_authenticate():
    Deprecated: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated
    
  • One from trim() in wp_authenticate() itself:
    Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated
    

Includes documenting the $credentials parameter using hash notation.

Follow-up to [6643], [37697].

Props lenasterg, TobiasBg, ocean90, afragen, lkraav, SergeyBiryukov.
Fixes #56850.

@SergeyBiryukov commented on PR #3499:


20 months ago
#19

Merged in r55301.

@SergeyBiryukov commented on PR #3491:


20 months ago
#20

Thanks for the PR! Merged a slightly different solution in r55301.

#21 @SergeyBiryukov
20 months ago

#57636 was marked as a duplicate.

Note: See TracTickets for help on using tickets.