#59373 closed defect (bug) (fixed)
TypeError: str_contains() argument must be of type string, array given in wp-login.php
Reported by: | TimoTijhof | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 6.6 | Priority: | normal |
Severity: | normal | Version: | 6.3.1 |
Component: | Login and Registration | Keywords: | has-patch php80 |
Focuses: | php-compatibility | Cc: |
Description
This seems to affect PHP 8.0 and higher.
Downstream report at https://github.com/jquery/infrastructure-puppet/issues/34
Seems to be an upstream issue where a
$_GET
or$_REQUEST
key is checked for existence but not for type, thus prone to misuse when crafting query parameters in the array-form that PHP supports.
Easily reproduced, for example, at:
Change History (6)
This ticket was mentioned in PR #5227 on WordPress/wordpress-develop by @TimoTijhof.
8 months ago
#2
- Keywords has-patch added
Trac ticket: https://core.trac.wordpress.org/ticket/59373.
This prevents URLs like /wp-login.php?redirect_to[x]=y
from triggering a HTTP 500 response as result of
PHP Fatal error: Uncaught TypeError: str_contains(): Argument #1 ($haystack) must be of type string, array given
I considered changing the case for "authorize-application.php" to re-use the $requested_redirect_to
variable but left it as-is because this case reads from _GET whereas the variable also considers POST parameters (via _REQUEST), which might be intentional. This case was introduced in [49109] for #42790.
#3
in reply to:
↑ 1
@
8 months ago
- Keywords php80 added
- Milestone changed from Awaiting Review to 6.6
Hi there, thanks for the ticket!
Replying to TimoTijhof:
I have a patch at https://github.com/WordPress/wordpress-develop/pull/5227.
I've pinged this ticket three different ways, but I'm not seeing anything show up here as is implied by the above notice
Looks like the PR was attached to #42790 instead due to that ticket being mentioned first in the PR description.
No worries, this is now resolved by moving this ticket's URL to the top of the description.
@SergeyBiryukov commented on PR #5227:
8 months ago
#6
Thanks for the PR! Merged in r58023.
I have a patch at https://github.com/WordPress/wordpress-develop/pull/5227.
I've pinged this ticket three different ways, but I'm not seeing anything show up here as is implied by the above notice and the handbook at https://make.wordpress.org/core/handbook/contribute/git/github-pull-requests-for-code-review/.
The patch has a failing build due to End-to-end and Performance tests being flaky. I've re-run them a few times and they both pass at different times but not at the same time. I'm guessing that's common enough that it won't hinder the likelihood of code review, so I'll sit back and wait :)