[wp-trac] [WordPress Trac] #56165: Bogus query parameters force WordPress to drop query limit and exhausts memory

WordPress Trac noreply at wordpress.org
Wed Jul 6 18:30:28 UTC 2022 

#56165: Bogus query parameters force WordPress to drop query limit and exhausts
memory
--------------------------+-----------------------------
 Reporter:  coreyw        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Query         |    Version:  6.0
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 I noticed that a site was regularly getting out of memory errors at a URL
 that seems to be an attempt at "hacking" a Drupal site:

 {{{
 https://example.com/?q=user%2Fpassword&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=dir&debug
 }}}

 For some reason this causes WordPress to execute this query:

 {{{
 SELECT   wp_posts.* FROM wp_posts  WHERE 1=1  AND wp_posts.post_type =
 'post' AND ((wp_posts.post_status = 'publish'))  ORDER BY
 wp_posts.post_date DESC
 }}}

 You'll notice that there is no `LIMIT` set, even though the site has a
 limit set by default and there are no plugins/filters to alter this.

 On a site with a large number of posts this can easily cause memory issues
 (I noticed it during the `update_meta_cache` function running after the
 query.

 That URL is causing WordPress to execute this query:

 {{{
 WP_Query->query(Array ([name] => Array ([#post_render] => Array ([0] =>
 passthru),[#type] => markup,[#markup] => dir)))
 }}}

 The `name` parameter is supposed to be a string, so I'm not sure why it's
 affecting the query at all (PHP 7.4 does throw warning because WP tries to
 `trim()` the value, PHP 8.1 throws error).

 I haven't gotten far enough in to see why the query limit is dropped, but
 I imagine in any case this URL should result in either the homepage being
 displayed or a 404.

 Here is a full backtrace:

 {{{
 #0  update_meta_cache(post, Array ([0] => 81102,[1] => 80934,[2] =>
 80927,...))
 #1  update_postmeta_cache(Array ([0] => 81102,[1] => 80934,[2] =>
 80927,...))
 #2  update_post_caches(Array ([0] => WP_Post Object ([ID] =>
 81102,[post_author] => 5,[post_date] => 2022-07-01
 10:17:29,[post_date_gmt] => 2022-07-01 17:17:29,[post_content] => <!--
 wp:paragraph -->
 #3  WP_Query->get_posts() called at [/wp-includes/class-wp-query.php:3586]
 #4  WP_Query->query(Array ([name] => Array ([#post_render] => Array ([0]
 => passthru),[#type] => markup,[#markup] => dir))) called at [/wp-includes
 /class-wp.php:648]
 #5  WP->query_posts() called at [/wp-includes/class-wp.php:775]
 #6  WP->main() called at [/wp-includes/functions.php:1330]
 #7  wp() called at [/wp-blog-header.php:16]
 #8  require(/wp-blog-header.php) called at [/index.php:4]
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56165>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list