[wp-trac] [WordPress Trac] #61732: get_calendar() will use invalid dates in SQL queries

WordPress Trac noreply at wordpress.org
Tue Jul 23 17:26:01 UTC 2024


#61732: get_calendar() will use invalid dates in SQL queries
--------------------------+-----------------------------
 Reporter:  leedxw        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  6.6
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 `get_calendar()` will use a client provided value for an SQL date request
 without checking validity.

 Checking the logs recently, I can see errors along the lines of

 {{{
 PHP message: WordPress database error Incorrect DATETIME value:
 '2171-94-01' for query SELECT MONTH(post_date) AS month, YEAR(post_date)
 AS year ...
 }}}

 Where the value was not a valid since the month was not between 01 and 12
 inclusive.

 Investigating, what I was seeing was:

 * A bunch of junk requests that had random variables applied
 {{{
 GET /some_nonexistant_random_page?m=la2m,1o7tfe1poe9h_4ksa8,w876
 }}}
 * The theme uses something that uses `widget`, that then uses
 `get_calendar()`
 * `WP_Query::parse_query()` was helpfully stripping out non numbers into
 the global `$m` - but there are no validity checks on the result.
 * `get_calendar()` was using a substring of the junk `$m` as the base for
 month.
 * SQL complains about an invalid date

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61732>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list