Make WordPress Core

Opened 4 weeks ago

Closed 4 weeks ago

Last modified 4 weeks ago

#61136 closed defect (bug) (fixed)

wp-login.php?action=postpass PHP Warning with invalid input

Reported by: dd32's profile dd32 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.6 Priority: normal
Severity: minor Version:
Component: Login and Registration Keywords: commit has-patch
Focuses: Cc:

Description

The following warning can be generated on wp-login.php:

E_WARNING: strlen() expects parameter 1 to be string, array given in wp-includes/class-phpass.php:206

This can be duplicated with a request such as:

curl http://example.org/wp-login.php?action=postpass --data 'post_password[foo]=bar'

Similar to #59373

Change History (3)

This ticket was mentioned in PR #6490 on WordPress/wordpress-develop by @dd32.


4 weeks ago
#1

  • Keywords has-patch added

#2 @SergeyBiryukov
4 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 58093:

Login and Registration: Check that post_password is a string in wp-login.php.

This prevents a fatal error if an array is passed instead.

Follow-up to [19925], [34909], [58023].

Props dd32, swissspidy.
Fixes #61136.

@SergeyBiryukov commented on PR #6490:


4 weeks ago
#3

Thanks for the PR! Merged in r58093.

Note: See TracTickets for help on using tickets.