[wp-trac] [WordPress Trac] #44652: URL Hash Vulnerability
WordPress Trac
noreply at wordpress.org
Mon Jul 30 15:10:17 UTC 2018
#44652: URL Hash Vulnerability
----------------------------------------+------------------------------
Reporter: sfasfsafds | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Query | Version: 2.7
Severity: normal | Resolution:
Keywords: needs-patch good-first-bug | Focuses:
----------------------------------------+------------------------------
Changes (by chriscct7):
* keywords: needs-patch => needs-patch good-first-bug
* version: 4.9.7 => 2.7
* component: Security => Query
Comment:
In `wp-includes/class-wp-query.php`, the function `parse_query` does not
validate the datatype of several variables, in this example URL, `name`,
prior to running `trim()` on it, which requires a string (or castable)
datatype. As an array is not non-overloaded castable to string in PHP, a
PHP warning will be thrown as the first parameter of `trim()` requires a
string.
There's a couple sections in here where an `is_string` check could be run,
and if the comparison fails cast it to an empty string (discard). For
example:
{{{#!php
$qv['pagename'] = trim( $qv['pagename'] );
$qv['name'] = trim( $qv['name'] );
$qv['title'] = trim( $qv['title'] );
}}}
could be
{{{#!php
$qv['pagename'] = is_string( $qv['pagename'] ) ? trim( $qv['pagename'] ) :
'';
$qv['name'] = is_string( $qv['name'] ) ? trim( $qv['name'] ) :
'';
$qv['title'] = is_string( $qv['title'] ) ? trim( $qv['title'] ) :
'';
}}}
This makes for a good-first-bug, as the changes required are simple and
contained, and provides a good, easy bug to provide PHP unit tests for.
The bug for pagename and name using trim without type checking was
introduced in #7537.
The bug for title was introduced on addition in #33074.
As a result, the bug has existing since the merge of [8667] in WordPress
2.7.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44652#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list