[v6.8.1] Unsupported operand types: bool & string in wp_privacy_anonymize_ip on line 8234

[codesdnc]

At present, it's somehow possible for a malformed IPv6 address to get passed into this expression:

$ip_addr = inet_ntop( inet_pton( $ip_addr ) & inet_pton( $netmask ) );

The first call to inet_pton() is sometimes returning false for one of my admins, causing their access to the wp-admin/ dashboard to hit a critical error (as it's used by the Community Events widget). I've also managed to have it happen while roaming with my phone, again spuriously, implying there's some IPv6 format this isn't being sanitized beforehand. Presently, I think it'd be best to refactor out that call into a variable, and check for false before anding it with the netmask.

A la:

$ip_addr_num = inet_pton( $ip_addr ); // Fallible call to inet_pton() pulled out to var

if( false === $ip_addr_num ) { // Check var for (un)expected type
  return '::';
}

// Rest of function continues as normal
$ip_addr = inet_ntop( $ip_addr_num & inet_pton( $netmask ) );

if( false === $ip_addr ){
  return '::';
}

Here's the corresponding error log that lead me to find this bug:

PHP Fatal error:  Uncaught TypeError: Unsupported operand types: bool & string in /home/public_html/wp-includes/functions.php:8234
Stack trace:
#0 /home/public_html/wp-admin/includes/class-wp-community-events.php(273): wp_privacy_anonymize_ip()
#1 /home/public_html/wp-includes/script-loader.php(2031): WP_Community_Events::get_unsafe_client_ip()
#2 /home/public_html/wp-includes/class-wp-hook.php(324): wp_localize_community_events()
#3 /home/public_html/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters()
#4 /home/public_html/wp-includes/plugin.php(517): WP_Hook->do_action()
#5 /home/public_html/wp-admin/admin-header.php(144): do_action()
#6 /home/public_html/wp-admin/index.php(137): require_once('/home/...')
#7 {main}
  thrown in /home/public_html/wp-includes/functions.php on line 8234

The hosting server is running PHP8.1, but I suspect any PHP8+ host will trigger the same error. I never was able to capture the offending IPv6 addresses (not even when it happened to me), the host's logs don't support logging IPv6 addresses in their access logs.

[nickbrazilian]

Hey hello, good you found it out.

I will proceed to try to replicate this right now, then i will come back.

See ya.

[nickbrazilian]

Hey look at what i got, i managed to replicate!

In the proxy i put

X-Forwarded-For: 2001:db8::1:2:3:4:5:6:7

in the get request for the wp-admin

GET ​http://localhost:8889/wp-admin/ HTTP/1.1

When the admin panel loads, it shows this:

Fatal error: Uncaught TypeError: Unsupported operand types: bool & string in /var/www/src/wp-includes/functions.php:8265 Stack trace: #0 /var/www/src/wp-admin/includes/class-wp-community-events.php(273): wp_privacy_anonymize_ip('2001:db8::1:2:3...', true) #1 /var/www/src/wp-includes/script-loader.php(2031): WP_Community_Events::get_unsafe_client_ip() #2 /var/www/src/wp-includes/class-wp-hook.php(324): wp_localize_community_events() #3 /var/www/src/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(, Array) #4 /var/www/src/wp-includes/plugin.php(517): WP_Hook->do_action(Array) #5 /var/www/src/wp-admin/admin-header.php(144): do_action('admin_print_scr...') #6 /var/www/src/wp-admin/_index.php(137): require_once('/var/www/src/wp...') #7 /var/www/src/wp-admin/index.php(10): require_once('/var/www/src/wp...') #8 {main} thrown in /var/www/src/wp-includes/functions.php on line 8265
There has been a critical error on this website. Please check your site admin email inbox for instructions. If you continue to have problems, please try the support forums.
Learn more about troubleshooting WordPress.

So yeah we crashed the wp-admin panel by having a broken ip.

This could be something, i will proceed to try to crash this with an real ipv6 address, or maybe it is just nothing...

[nickbrazilian]

@codesdnc I tested 200 valid ipv6 addresses and none of them got the same error. This appears to be happening only on invalid ipv6 addresses. You sure that you where using a valid one? If this is the case i will generate a lot more of ipv6 address to test this. BTW i read the wp_privacy_anonymize function source and i think this is really the case only for invalid ipv6 addresses (but anyways i am not a master at this currently, i could be wrong).

Thank you