[wp-trac] [WordPress Trac] #44652: URL Hash Vulnerability

WordPress Trac noreply at wordpress.org
Mon Jul 30 15:10:17 UTC 2018 

#44652: URL Hash Vulnerability
----------------------------------------+------------------------------
 Reporter:  sfasfsafds                  |       Owner:  (none)
     Type:  defect (bug)                |      Status:  new
 Priority:  normal                      |   Milestone:  Awaiting Review
Component:  Query                       |     Version:  2.7
 Severity:  normal                      |  Resolution:
 Keywords:  needs-patch good-first-bug  |     Focuses:
----------------------------------------+------------------------------
Changes (by chriscct7):

 * keywords:  needs-patch => needs-patch good-first-bug
 * version:  4.9.7 => 2.7
 * component:  Security => Query


Comment:

 In `wp-includes/class-wp-query.php`, the function `parse_query` does not
 validate the datatype of several variables, in this example URL, `name`,
 prior to running `trim()` on it, which requires a string (or castable)
 datatype. As an array is not non-overloaded castable to string in PHP, a
 PHP warning will be thrown as the first parameter of `trim()` requires a
 string.

 There's a couple sections in here where an `is_string` check could be run,
 and if the comparison fails cast it to an empty string (discard). For
 example:

 {{{#!php
 $qv['pagename'] = trim( $qv['pagename'] );
 $qv['name']     = trim( $qv['name'] );
 $qv['title']    = trim( $qv['title'] );
 }}}

 could be
 {{{#!php
 $qv['pagename'] = is_string( $qv['pagename'] ) ? trim( $qv['pagename'] ) :
 '';
 $qv['name']     = is_string( $qv['name']     ) ? trim( $qv['name'] )     :
 '';
 $qv['title']    = is_string( $qv['title']    ) ? trim( $qv['title'] )    :
 '';
 }}}

 This makes for a good-first-bug, as the changes required are simple and
 contained, and provides a good, easy bug to provide PHP unit tests for.

 The bug for pagename and name using trim without type checking was
 introduced in #7537.
 The bug for title was introduced on addition in #33074.

 As a result, the bug has existing since the merge of [8667] in WordPress
 2.7.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44652#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list