WordPress.org
Get WordPress

Make WordPress Core

Opened 2 months ago

Closed 2 months ago

Last modified 2 months ago

#62794 closed defect (bug) (fixed)

Fatal error from wp-login.php if password is an array

Reported by: leedxw's profile leedxw Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.8 Priority: normal
Severity: normal Version: 6.7.1
Component: Login and Registration Keywords:
Focuses: Cc:

Description

If "pwd" is given as an array, it will generate a 500 error due to the use of trim()

$ curl http://localhost/wp-login.php -X POST -d 'log=example&pwd[1]=example' -s -D - -o /dev/null | grep ^HTTP
HTTP/1.1 500 Internal Server Error

"PHP message: PHP Fatal error:  Uncaught TypeError: trim(): Argument #1 ($string) must be of type string, array given in /var/www/html/wp-includes/pluggable.php:602

Attachments (1)

user_password_array.diff (537 bytes) - added by leedxw 2 months ago.
patch for user.php to check $_POSTpwd? is a string

Download all attachments as: .zip

Change History (8)

@leedxw
2 months ago

patch for user.php to check $_POSTpwd? is a string

#1 @SergeyBiryukov
2 months ago

  • Component changed from General to Login and Registration
  • Milestone changed from Awaiting Review to 6.8

#2 @SergeyBiryukov
2 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#3 follow-up: @audrasjb
2 months ago

Hello and thanks for the ticket and patch,

This is a good point and a good workaround, however the is_string conditional will fail if the value provided is an integer, for example.

#4 @leedxw
2 months ago

In this context, I don't know that the value of $_POST['pwd'], if set, can be anything except a string or an array. It should fail for anything other than a string.

#5 in reply to: ↑ 3 ; follow-up: @SergeyBiryukov
2 months ago

Replying to audrasjb:

This is a good point and a good workaround, however the is_string conditional will fail if the value provided is an integer, for example.

That's good to note, however values passed via $_POST can only ever be a string or an array, per the PHP manual:

HTTP being a text protocol, most, if not all, content that comes in Superglobal arrays, like $_POST and $_GET will remain as strings. PHP will not try to convert values to a specific type. In the example below, $_GET["var1"] will contain the string "null" and $_GET["var2"], the string "123".

/index.php?var1=null&var2=123

So I think this is ready to go, I would just add a similar check for $_POST['log'] for consistency.

Last edited 2 months ago by SergeyBiryukov (previous) (diff)

#6 @SergeyBiryukov
2 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 59595:

Login and Registration: Check that the $_POST values are strings in wp_signon().

This prevents a fatal error from trim() via wp_authenticate() if an array is passed instead.

Follow-up to [6643], [58093].

Props leedxw, audrasjb, SergeyBiryukov.
Fixes #62794.

#7 in reply to: ↑ 5 @audrasjb
2 months ago

Replying to SergeyBiryukov:

That's good to note, however values passed via $_POST can only ever be a string or an array, per the PHP manual:

Oh, you're right, it doesn't apply on this case. Thanks.

Note: See TracTickets for help on using tickets.