Ticket #3891 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

Multiple errors when passing some query variables as an a array(Only with Register Globals ON)

Reported by: g30rg3x Assigned to: markjaquith
Priority: normal Milestone: 2.1.3
Component: General Version: 2.1
Severity: normal Keywords: m, cat, array, register globals, has-patch
Cc:

Description

As readed on SecurityFocus? BugTraq? Mailing List:
http://www.securityfocus.com/archive/1/456731

There is a defect when passing "m" as an a array, example:
http://host/?m[]=

Also i found that "cat" has the same bug like "m" value but only disclouses a error in function urldecode():
http://host/?cat[]=

This bug/defect only works if "Register Globals" directive on PHP is turned ON.
I Think this patch is a temporary solution to the problem and also i think it could be solved in other area.

Other live examples:
http://alexking.org/?m[]=
http://boren.nu/?m[]=
http://dougal.gunters.org/?cat[]=

Attachments

m_and_cat_problem_with_array_and_PHPGLOBAL.patch (1.6 kB) - added by g30rg3x on 03/01/07 00:24:38.
Temporary Solution
query.php.diff (1.0 kB) - added by g30rg3x on 03/01/07 08:08:49.
More General Fix and Possibly a Better Solution to the Defect.
cast_qvs_to_string.diff (487 bytes) - added by markjaquith on 03/02/07 07:33:59.
cast to string

Change History

03/01/07 00:24:38 changed by g30rg3x

  • attachment m_and_cat_problem_with_array_and_PHPGLOBAL.patch added.

Temporary Solution

(follow-up: ↓ 2 ) 03/01/07 05:04:43 changed by markjaquith

Maybe we should just cast all QVs to strings early on. None of them, to my knowledge, support arrays anyway. They're all comma separated (the ones that accept multiple values)

(in reply to: ↑ 1 ) 03/01/07 06:49:48 changed by g30rg3x

Replying to markjaquith: You are right..., it has more defects like this in other query vars, now i am researching more defects like this and probably upload a new general fix for this problem...

03/01/07 08:08:49 changed by g30rg3x

  • attachment query.php.diff added.

More General Fix and Possibly a Better Solution to the Defect.

03/01/07 16:08:08 changed by g30rg3x

  • summary changed from Multiple Errors When passing as an array variables "m" and "cat" (Only with PHP Register Globals ON) to Multiple errors when passing some query variables as an a array(Only with Register Globals ON).

Update
This new title explains better the problem, because not only "m" and "cat" have the same problem with an arrays, also variables "subpost", "attachment", "name", "pagename", "category_name", "feed", "tb" and "comments_popup", in fact most of the variables in the array $keys inside the function "fill_query_vars".
Also the variable "s" seems to be partially (or non) affected, passing "s" as an a array will make display the resource identifier "Array", but i dont see a real problem here.

This new solution i think is better than previous but i still thinking that there is another way to fix this problem, because "cat" variable its not un $keys array and need to be fixed alone like the previous patch that i deliver as temporary solution.

03/02/07 07:33:59 changed by markjaquith

  • attachment cast_qvs_to_string.diff added.

cast to string

(follow-up: ↓ 5 ) 03/02/07 07:35:35 changed by markjaquith

  • keywords changed from m, cat, array, register globals to m, cat, array, register globals has-patch.
  • owner changed from anonymous to markjaquith.
  • status changed from new to assigned.

Uploaded my solution. Simply: cast to string when going through the public_query_vars.

(in reply to: ↑ 4 ) 03/02/07 18:01:39 changed by g30rg3x

Replying to markjaquith:

Woah, its and quite amazing simply solution, but it has a little problem the function wp_title() in "general-template.php" takes the query value in raw and we can still see in the title Arra, needs a little more.

(follow-up: ↓ 7 ) 03/03/07 05:28:53 changed by markjaquith

g30rg3x,

What URL did you use to get wp_title() to show "Arra" ?

(in reply to: ↑ 6 ) 03/03/07 05:52:44 changed by g30rg3x

Replying to markjaquith: http://host/?m[]= and
http://host/?year[]=

03/03/07 15:39:27 changed by g30rg3x

  • keywords changed from m, cat, array, register globals has-patch to m, cat, array, register globals, has-patch.

markjaquith: The bugs in wp_title() function, has more implications in the security but its no more related to this bug, i will open a new ticket for resolving that problem...
Consider fixed this ticket...

03/04/07 18:16:26 changed by markjaquith

(In [4965]) Cast query vars to strings. fixes #3891

That fixes it for trunk. I'll hold off on fixing it for 2.1.3 until it has been in trunk for a few days.

03/07/07 05:37:24 changed by markjaquith

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [4991]) Cast query vars to strings. fixes #3891