Opened 6 weeks ago
Last modified 6 weeks ago
#62627 new defect (bug)
PHP warning or fatal error if user supplies array instead of string
Reported by: | leedxw | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.7.1 |
Component: | Feeds | Keywords: | has-testing-info has-screenshots has-patch |
Focuses: | Cc: |
Description
A request for http://localhost/?feed[]=
will produce errors implying no checks are made to see if
a string is actually a string.
(This is via parse_query()
class-wp-query.php:1018
)
on PHP 7.4:
PHP Warning: strpos() expects parameter 1 to be string, array given in /var/www/html/wp-includes/compat.php on line 498 PHP Warning: Illegal offset type in isset or empty in /var/www/html/wp-includes/feed.php on line 777 PHP Warning: strpos() expects parameter 1 to be string, array given in /var/www/html/wp-includes/compat.php on line 498 PHP Notice: Array to string conversion in /var/www/html/wp-includes/functions.php on line 1612
on PHP8.3:
PHP Fatal error: Uncaught TypeError: str_contains(): Argument #1 ($haystack) must be of type string, array given in /var/www/html/wp-includes/class-wp-query.php:1018 ...
We have logging switched on and are currently seeing a lot of probes by unknown third-parties that consist of providing arrays where user-supplied strings would normally be expected. (Presumably looking for changes in output that might indicate an exploitable bug. This can currently be used to see if a WordPress site is running with a PHP version below 8.)
Attachments (4)
Change History (11)
#3
@
6 weeks ago
Reproduction Report
Description
This report validates whether the issue can be reproduced.
Environment
- WordPress: 6.8-alpha-59274-src
- PHP: 8.2.25
- Server: nginx/1.27.2
- Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
- Browser: Chrome 131.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Five 1.0
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Actual Results
- ✅ Error condition occurs (reproduced).
- Fatal errors occur when array passed to feed parameter.
#4
@
6 weeks ago
Test Report
Description
This report validates whether the indicated patch works as expected.
Patch tested: REPLACE_WITH_PATCH_URL
Environment
- WordPress: 6.8-alpha-59274-src
- PHP: 8.2.25
- Server: nginx/1.27.2
- Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
- Browser: Chrome 131.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Five 1.0
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Actual Results
- ✅ Issue resolved with patch.
Attaching the screenshot of the screen getting after adding patch.
#5
@
6 weeks ago
Reproduction Report
Description
This report validates whether the issue can be reproduced.
Environment
- WordPress: 6.8-alpha-59274-src
- PHP: 8.2.25
- Server: nginx/1.27.2
- Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
- Browser: Chrome 129.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Five 1.0
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Actual Results
- ✅ Error condition occurs (reproduced).
Supplemental Artifacts
#6
@
6 weeks ago
Test Report
Description
This report validates whether the indicated patch works as expected.
Patch tested: https://core.trac.wordpress.org/attachment/ticket/62627/62627.patch
Environment
- WordPress: 6.8-alpha-59274-src
- PHP: 8.2.25
- Server: nginx/1.27.2
- Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
- Browser: Chrome 129.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Five 1.0
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Actual Results
- ✅ Issue resolved with patch.
Reproduction Report
Description
This report validates whether the issue can be reproduced.
Environment
Actual Results
Supplemental Artifacts