[wp-trac] [WordPress Trac] #63154: Fatal error when moderation hash is given as array
WordPress Trac
noreply at wordpress.org
Mon Mar 24 10:44:10 UTC 2025
#63154: Fatal error when moderation hash is given as array
--------------------------+-----------------------------
Reporter: leedxw | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
A recent uncommissioned penetration test resulted in PHP Fatal errors
{{{
PHP Fatal error: Uncaught TypeError: hash_equals(): Argument #1
($known_string) must be of type string, array given in /var/www/html/wp-
includes/comment.php:1959
}}}
The request was
{{{
GET /page-with-comments/?moderation-
hash[]=0cdbea79cf8fc31fe70f8d06581b06a8&unapproved=21 HTTP/1.1"
}}}
Which triggered a fatal error in using {{{hash_equals()}}} with an array.
{{{
if ( $comment && hash_equals( $_GET['moderation-hash'], wp_hash(
$comment->comment_date_gmt ) ) ) {
}}}
I suggest testing against {{{! is_array()}}} prior to {{{hash_equals()}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63154>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list