Make WordPress Core

Opened 6 weeks ago

Last modified 6 weeks ago

#62627 new defect (bug)

PHP warning or fatal error if user supplies array instead of string

Reported by: leedxw's profile leedxw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.7.1
Component: Feeds Keywords: has-testing-info has-screenshots has-patch
Focuses: Cc:

Description

A request for http://localhost/?feed[]= will produce errors implying no checks are made to see if
a string is actually a string.

(This is via parse_query() class-wp-query.php:1018)

on PHP 7.4:

PHP Warning:  strpos() expects parameter 1 to be string, array given in /var/www/html/wp-includes/compat.php on line 498
PHP Warning:  Illegal offset type in isset or empty in /var/www/html/wp-includes/feed.php on line 777
PHP Warning:  strpos() expects parameter 1 to be string, array given in /var/www/html/wp-includes/compat.php on line 498
PHP Notice:  Array to string conversion in /var/www/html/wp-includes/functions.php on line 1612

on PHP8.3:

PHP Fatal error:  Uncaught TypeError: str_contains(): Argument #1 ($haystack) must be of type string, array given in /var/www/html/wp-includes/class-wp-query.php:1018
...

We have logging switched on and are currently seeing a lot of probes by unknown third-parties that consist of providing arrays where user-supplied strings would normally be expected. (Presumably looking for changes in output that might indicate an exploitable bug. This can currently be used to see if a WordPress site is running with a PHP version below 8.)

Attachments (4)

62627.patch (1.5 KB) - added by ankitkumarshah 6 weeks ago.
Screenshot (5).png (62.6 KB) - added by benazeer 6 weeks ago.
Fatal errors occurring.
Screenshot (7).png (34.7 KB) - added by benazeer 6 weeks ago.
Attaching the patch test screenshot.
Screenshot_9.png (10.3 KB) - added by sahibkhaan 5 weeks ago.
giving error when passing array query string ?feed[]=

Download all attachments as: .zip

Change History (11)

#1 @sukhendu2002
6 weeks ago

  • Keywords has-testing-info has-screenshots added

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.26
  • Server: nginx/1.27.3
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.26)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. Fatal errors occur when array passed to feed parameter.
  2. ✅ Error condition successfully reproduced

Supplemental Artifacts

https://utfs.io/f/TTyF6MLuAyHD7LNqWkE06yIE1PuqGtO8VgNR4rl5h2LvmpfF

#2 @ankitkumarshah
6 weeks ago

Hi @leedxw,

Thank you for bringing this up. I was successfully able to reproduce the issue.

https://i.postimg.cc/MT7H8pgt/image.png

This could be resolved by adding checks of is_string() right before string operations and concatenations. Below is a potential patch that could help resolve the problem.

#3 @benazeer
6 weeks ago

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Error condition occurs (reproduced).
  2. Fatal errors occur when array passed to feed parameter.

@benazeer
6 weeks ago

Fatal errors occurring.

#4 @benazeer
6 weeks ago

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: REPLACE_WITH_PATCH_URL

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Issue resolved with patch.

Attaching the screenshot of the screen getting after adding patch.

Last edited 6 weeks ago by benazeer (previous) (diff)

@benazeer
6 weeks ago

Attaching the patch test screenshot.

#5 @im3dabasia1
6 weeks ago

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 129.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Error condition occurs (reproduced).

Supplemental Artifacts

https://i.postimg.cc/fbDPkDff/Screenshot-2024-12-03-at-4-59-43-PM.png

#6 @im3dabasia1
6 weeks ago

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: https://core.trac.wordpress.org/attachment/ticket/62627/62627.patch

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 129.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Issue resolved with patch.

Supplemental Artifacts

https://i.postimg.cc/v8K2dWgy/Screenshot-2024-12-03-at-5-04-02-PM.png

#7 @yogeshbhutkar
6 weeks ago

  • Keywords has-patch added

@sahibkhaan
5 weeks ago

giving error when passing array query string ?feed[]=

Note: See TracTickets for help on using tickets.