WordPress.org
Get WordPress

Make WordPress Core

Opened 18 months ago

Last modified 12 months ago

#62627 new defect (bug)

PHP warning or fatal error if user supplies array instead of string

Reported by: leedxw's profile leedxw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.7.1
Component: Feeds Keywords: has-test-info has-screenshots has-patch
Focuses: Cc:

Description

A request for http://localhost/?feed[]= will produce errors implying no checks are made to see if
a string is actually a string.

(This is via parse_query() class-wp-query.php:1018)

on PHP 7.4:

PHP Warning:  strpos() expects parameter 1 to be string, array given in /var/www/html/wp-includes/compat.php on line 498
PHP Warning:  Illegal offset type in isset or empty in /var/www/html/wp-includes/feed.php on line 777
PHP Warning:  strpos() expects parameter 1 to be string, array given in /var/www/html/wp-includes/compat.php on line 498
PHP Notice:  Array to string conversion in /var/www/html/wp-includes/functions.php on line 1612

on PHP8.3:

PHP Fatal error:  Uncaught TypeError: str_contains(): Argument #1 ($haystack) must be of type string, array given in /var/www/html/wp-includes/class-wp-query.php:1018
...

We have logging switched on and are currently seeing a lot of probes by unknown third-parties that consist of providing arrays where user-supplied strings would normally be expected. (Presumably looking for changes in output that might indicate an exploitable bug. This can currently be used to see if a WordPress site is running with a PHP version below 8.)

Attachments (4)

62627.patch (1.5 KB) - added by ankitkumarshah 18 months ago.
Screenshot (5).png (62.6 KB) - added by benazeer 18 months ago.
Fatal errors occurring.
Screenshot (7).png (34.7 KB) - added by benazeer 18 months ago.
Attaching the patch test screenshot.
Screenshot_9.png (10.3 KB) - added by sahibkhaan 17 months ago.
giving error when passing array query string ?feed[]=

Download all attachments as: .zip

Change History (12)

#1 @sukhendu2002
18 months ago

  • Keywords has-testing-info has-screenshots added

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.26
  • Server: nginx/1.27.3
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.26)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. Fatal errors occur when array passed to feed parameter.
  2. ✅ Error condition successfully reproduced

Supplemental Artifacts

https://utfs.io/f/TTyF6MLuAyHD7LNqWkE06yIE1PuqGtO8VgNR4rl5h2LvmpfF

#2 @ankitkumarshah
18 months ago

Hi @leedxw,

Thank you for bringing this up. I was successfully able to reproduce the issue.

https://i.postimg.cc/MT7H8pgt/image.png

This could be resolved by adding checks of is_string() right before string operations and concatenations. Below is a potential patch that could help resolve the problem.

@ankitkumarshah
18 months ago

#3 @benazeer
18 months ago

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Error condition occurs (reproduced).
  2. Fatal errors occur when array passed to feed parameter.

@benazeer
18 months ago

Fatal errors occurring.

#4 @benazeer
18 months ago

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: REPLACE_WITH_PATCH_URL

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 131.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. Not sure if this is supposed to get.
  2. Attaching the screenshot of the screen getting after adding patch.
Version 0, edited 18 months ago by benazeer (next)

@benazeer
18 months ago

Attaching the patch test screenshot.

#5 @im3dabasia1
18 months ago

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 129.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Error condition occurs (reproduced).

Supplemental Artifacts

https://i.postimg.cc/fbDPkDff/Screenshot-2024-12-03-at-4-59-43-PM.png

#6 @im3dabasia1
18 months ago

Test Report

Description

This report validates whether the indicated patch works as expected.

Patch tested: https://core.trac.wordpress.org/attachment/ticket/62627/62627.patch

Environment

  • WordPress: 6.8-alpha-59274-src
  • PHP: 8.2.25
  • Server: nginx/1.27.2
  • Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.25)
  • Browser: Chrome 129.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Five 1.0
  • MU Plugins: None activated
  • Plugins:
    • Test Reports 1.2.0

Actual Results

  1. ✅ Issue resolved with patch.

Supplemental Artifacts

https://i.postimg.cc/v8K2dWgy/Screenshot-2024-12-03-at-5-04-02-PM.png

#7 @yogeshbhutkar
18 months ago

  • Keywords has-patch added

@sahibkhaan
17 months ago

giving error when passing array query string ?feed[]=

#8 @wordpressdotorg
12 months ago

  • Keywords has-test-info added; has-testing-info removed
Note: See TracTickets for help on using tickets.