Array should not be passed to get_page_by_path()

[leedxw]

We have been logging the following, as a result of an unauthorised vulnerability scan on a site we host:

PHP Warning:  urldecode() expects parameter 1 to be string, array given in /var/www/html/wp-includes/post.php on line 6033

This occurs when an array is being passed to get_page_by_path()

I was able to reproduce using

curl -g "http://localhost/?year[1]=1"

This specific instance occurred in wp_resolve_numeric_slug_conflicts() where user-supplied values of "month" "year" etc, are passed to get_page_by_path()

[leedxw]

Patch to rewrite.php to check for array

[sukhendu2002]

Reproduction Report

Description

This report validates whether the issue can be reproduced.

Environment

• WordPress: 6.7.1
• PHP: 8.2.27
• Server: nginx/1.27.3
• Database: mysqli (Server: 8.0.40 / Client: mysqlnd 8.2.27)
• Browser: Chrome 131.0.0.0
• OS: macOS
• Theme: Twenty Twenty-Five 1.0
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Actual Results

1. ✅ Error condition occurs (reproduced).

Additional Notes

I am able to reproduce the issue in WordPress 6.7.1; however, I am not able to reproduce it in the trunk.

[sainathpoojary]

I can confirm that the "Warning: Array to string conversion" warning is occurring in WordPress 6.7.1, when an array is passed to get_page_by_path(). However, this issue does not happen in the current trunk version.

WordPress 6.7.1:

Trunk:

[abcd95]

Hey @leedxw, Thanks for bringing this up.

As mentioned in the above two comments, the warning is visible in 6.7.1 and not on the trunk. So I upgraded to the nightly build, and I was able to see the warning there too.

And the patch works fine fixing the warning. However, it would be better to further sanitize the variable to make sure it is a string passed.

[leedxw]

This issue still occurs in 6.7.2

[leedxw]

PHP Warning:  Array to string conversion in /var/www/html/wp-includes/post.php on line 6021
PHP Fatal error:  Uncaught TypeError: urldecode(): Argument #1 ($string) must be of type string, array given in /var/www/html/wp-includes/post.php:6033

Stack trace:
#0 /var/www/html/wp-includes/post.php(6033): urldecode()
#1 /var/www/html/wp-includes/rewrite.php(419): get_page_by_path()
#2 /var/www/html/wp-includes/class-wp.php(390): wp_resolve_numeric_slug_conflicts() 
#3 /var/www/html/wp-includes/class-wp.php(813): WP->parse_request()
#4 /var/www/html/wp-includes/functions.php(1336): WP->main()
#5 /var/www/html/wp-blog-header.php(16): wp()
#6 /var/www/html/index.php(17): require('...')
#7 {main}

  thrown in /var/www/html/wp-includes/post.php on line 6033

request: "GET /some-slug/?year%5B0%5D=2022

[leedxw]

Patch for 62828 for 6.7.2

[dd32]

A simpler fix might be to do this instead, as it'll avoid making the existing selection branch more complex.

        // This is the potentially clashing slug.
        $value = '';
-       if ( $compare && array_key_exists( $compare, $query_vars ) ) {
+       if ( $compare && array_key_exists( $compare, $query_vars ) && is_scalar( $query_vars[ $compare ] ) ) {
                $value = $query_vars[ $compare ];
        }

edit: The code is kinda weird with the duplicative $compare boolean check, so I simplified that in the PR

This avoids invalid input from causing PHP Warnings & Fatals, such as when the $compare query field contains an array (which is not valid).

This also removes the duplicate check of $compare being set to a value.

Fixes https://core.trac.wordpress.org/ticket/62828

Trac ticket:

[leedxw]

Just noting that this currently will produce a fatal error under php8.3 and WordPress 6.8

$ wp option set permalink_structure '/%postname%/'
$ wp rewrite flush
$ curl -s -o /dev/null -w "%{http_code}\n" "http://localhost/hello-world/?year%5B%5D=2"
500