WordPress.org
Get WordPress

Make WordPress Core

Opened 13 months ago

Closed 13 months ago

Last modified 13 months ago

#61136 closed defect (bug) (fixed)

wp-login.php?action=postpass PHP Warning with invalid input

Reported by: dd32's profile dd32 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.6 Priority: normal
Severity: minor Version:
Component: Login and Registration Keywords: commit has-patch
Focuses: Cc:

Description

The following warning can be generated on wp-login.php:

E_WARNING: strlen() expects parameter 1 to be string, array given in wp-includes/class-phpass.php:206

This can be duplicated with a request such as:

curl http://example.org/wp-login.php?action=postpass --data 'post_password[foo]=bar'

Similar to #59373

Change History (3)

This ticket was mentioned in PR #6490 on WordPress/wordpress-develop by @dd32.
13 months ago #1

  • Keywords has-patch added

Trac ticket: https://core.trac.wordpress.org/ticket/61136#ticket

#2 @SergeyBiryukov
13 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 58093:

Login and Registration: Check that post_password is a string in wp-login.php.

This prevents a fatal error if an array is passed instead.

Follow-up to [19925], [34909], [58023].

Props dd32, swissspidy.
Fixes #61136.

@SergeyBiryukov commented on PR #6490:
13 months ago #3

Thanks for the PR! Merged in r58093.

Note: See TracTickets for help on using tickets.