[wp-trac] [WordPress Trac] #39945: WP_Query::get_posts fails to correctly sanitize 'posts_per_page'
WordPress Trac
noreply at wordpress.org
Wed Feb 22 21:34:03 UTC 2017
- Previous message: [wp-trac] [WordPress Trac] Batch modify: #21492, #21819, #39096, #39128, #39254, #39430, #39461, #39665, #39715, #39758, #39770
- Next message: [wp-trac] [WordPress Trac] #39945: WP_Query::get_posts fails to correctly sanitize 'posts_per_page'
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
#39945: WP_Query::get_posts fails to correctly sanitize 'posts_per_page'
--------------------------+-----------------------------
Reporter: biisent | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Query | Version: 4.7.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
WP_Query::get_posts fails to correctly sanitize the 'posts_per_page'
argument when a negative value in range (-2, -1) is supplied.
== Example ==
The following get_posts query causes an exception:
{{{
get_posts(array('posts_per_page' => '-1.5'));
}}}
Exception: WordPress database error You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near '-1' at line 1 for query SELECT wp_posts.ID
FROM wp_posts WHERE 1=1 AND wp_posts.post_type = 'post' AND
((wp_posts.post_status = 'publish')) ORDER BY wp_posts.post_date DESC
LIMIT 0, -1 made by get_posts, WP_Query->query, WP_Query->get_posts
== Cause ==
Incomplete sanitization in WP_Query::get_posts(), line 1775 - 1779:
{{{
$q['posts_per_page'] = (int) $q['posts_per_page'];
if ( $q['posts_per_page'] < -1 )
$q['posts_per_page'] = abs($q['posts_per_page']);
elseif ( $q['posts_per_page'] == 0 )
$q['posts_per_page'] = 1;
}}}
== Impact ==
Some plugins (e.g. Woocommerce) initialize the posts_per_page argument
with user supplied values and may suffer from an information disclosure
vulnerability, depending on the webserver configuration.
Confirmed on the latest Wordpress version 4.7.2.
First reported at 19.02.2017 to security[at]wordpress.org without response
(not nice!), so I assume you do not consider this security relevant in
accordance with e.g. https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-
directly-loading-certain-files
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39945>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
- Previous message: [wp-trac] [WordPress Trac] Batch modify: #21492, #21819, #39096, #39128, #39254, #39430, #39461, #39665, #39715, #39758, #39770
- Next message: [wp-trac] [WordPress Trac] #39945: WP_Query::get_posts fails to correctly sanitize 'posts_per_page'
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the wp-trac
mailing list