Make WordPress Core

Opened 15 months ago

Closed 8 months ago

Last modified 8 months ago

#59373 closed defect (bug) (fixed)

TypeError: str_contains() argument must be of type string, array given in wp-login.php

Reported by: timotijhof's profile TimoTijhof Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.6 Priority: normal
Severity: normal Version: 6.3.1
Component: Login and Registration Keywords: has-patch php80
Focuses: php-compatibility Cc:

Description

This seems to affect PHP 8.0 and higher.

Downstream report at https://github.com/jquery/infrastructure-puppet/issues/34

Seems to be an upstream issue where a $_GET or $_REQUEST key is checked for existence but not for type, thus prone to misuse when crafting query parameters in the array-form that PHP supports.

Easily reproduced, for example, at:

Change History (6)

#1 follow-up: @TimoTijhof
15 months ago

I have a patch at https://github.com/WordPress/wordpress-develop/pull/5227.

I've pinged this ticket three different ways, but I'm not seeing anything show up here as is implied by the above notice and the handbook at https://make.wordpress.org/core/handbook/contribute/git/github-pull-requests-for-code-review/.

The patch has a failing build due to End-to-end and Performance tests being flaky. I've re-run them a few times and they both pass at different times but not at the same time. I'm guessing that's common enough that it won't hinder the likelihood of code review, so I'll sit back and wait :)

This ticket was mentioned in PR #5227 on WordPress/wordpress-develop by @TimoTijhof.


8 months ago
#2

  • Keywords has-patch added

Trac ticket: https://core.trac.wordpress.org/ticket/59373.

This prevents URLs like /wp-login.php?redirect_to[x]=y from triggering a HTTP 500 response as result of

PHP Fatal error: Uncaught TypeError: str_contains():
Argument #1 ($haystack) must be of type string, array given

I considered changing the case for "authorize-application.php" to re-use the $requested_redirect_to variable but left it as-is because this case reads from _GET whereas the variable also considers POST parameters (via _REQUEST), which might be intentional. This case was introduced in [49109] for #42790.

#3 in reply to: ↑ 1 @SergeyBiryukov
8 months ago

  • Keywords php80 added
  • Milestone changed from Awaiting Review to 6.6

Hi there, thanks for the ticket!

Replying to TimoTijhof:

I have a patch at https://github.com/WordPress/wordpress-develop/pull/5227.

I've pinged this ticket three different ways, but I'm not seeing anything show up here as is implied by the above notice

Looks like the PR was attached to #42790 instead due to that ticket being mentioned first in the PR description.

No worries, this is now resolved by moving this ticket's URL to the top of the description.

#4 @SergeyBiryukov
8 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#5 @SergeyBiryukov
8 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 58023:

Login and Registration: Check that redirect_to is a string in wp-login.php.

This prevents a fatal error if an array is passed instead.

Follow-up to [2876], [4969], [7524], [8701], [25701], [31417], [49109].

Props TimoTijhof.
Fixes #59373.

@SergeyBiryukov commented on PR #5227:


8 months ago
#6

Thanks for the PR! Merged in r58023.

Note: See TracTickets for help on using tickets.