[wp-trac] [WordPress Trac] #60745: WP_Query::parse_query() does not handle invalid query arg values

Wed Jul 17 17:53:44 UTC 2024

#60745: WP_Query::parse_query() does not handle invalid query arg values
--------------------------------------------+------------------------------
 Reporter:  xknown                          |       Owner:  (none)
     Type:  defect (bug)                    |      Status:  new
 Priority:  normal                          |   Milestone:  Awaiting Review
Component:  Query                           |     Version:
 Severity:  normal                          |  Resolution:
 Keywords:  has-patch has-unit-tests php80  |     Focuses:
--------------------------------------------+------------------------------

Comment (by josephscott):

 This is a bug in WordPress core code.  You can easily demonstrate this
 fatal error using the WordPress Playground ( I tested these steps in
 Chrome ).

 - Visit https://playground.wordpress.net/ to spin up a fresh site ( new
 incognito can be helpful )
 - Open one of the page links in a new tab to get a fresh scoped URL, like
 https://playground.wordpress.net/scope:0.2459814000732259/
 - Add `?feed[]=admin` to the scoped URL, like
 https://playground.wordpress.net/scope:0.2459814000732259/?feed[]=admin
 and request that URL
 - Get a fatal error back
 - Go to the original tab, in the three-bar menu click on `View logs`
 - Review the stack traces for the fatal error

 {{{
 PHP Fatal error: Uncaught TypeError: str_contains(): Argument #1
 ($haystack) must be of type string, array given in /wordpress/wp-includes
 /class-wp-query.php:3
 Stack trace:
 #0 /wordpress/wp-includes/class-wp-query.php(3): str_contains(Array,
 'comments-')
 #1 /wordpress/wp-includes/class-wp-query.php(3): WP_Query->parse_query()
 #2 /wordpress/wp-includes/class-wp-query.php(13): WP_Query->get_posts()
 #3 /wordpress/wp-includes/class-wp.php(3): WP_Query->query(Array)
 #4 /wordpress/wp-includes/class-wp.php(3): WP->query_posts()
 #5 /wordpress/wp-includes/functions.php(2): WP->main('')
 #6 /wordpress/wp-blog-header.php(2): wp()
 #7 /wordpress/index.php(2): require('/wordpress/wp-b...')
 #8 {main}
 thrown in /wordpress/wp-includes/class-wp-query.php on line 3
 }}}

 These types of `?feed[]=admin` requests happen regularly, often from those
 attempting to scan sites for vulnerabilities.  No theme or plugin changes
 were made.  No settings or code of any kind were done.  It is WordPress
 core not validating data structures before using them.

 As a general principle WordPress core code should be stable and resilient.
 This change helps accomplish that goal.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60745#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform