[wp-trac] [WordPress Trac] #63437: [v6.8.1] Unsupported operand types: bool & string in wp_privacy_anonymize_ip on line 8234
WordPress Trac
noreply at wordpress.org
Mon May 12 22:03:43 UTC 2025
#63437: [v6.8.1] Unsupported operand types: bool & string in
wp_privacy_anonymize_ip on line 8234
-------------------------------+-----------------------------
Reporter: codesdnc | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 6.8
Severity: major | Keywords:
Focuses: php-compatibility |
-------------------------------+-----------------------------
At present, it's somehow possible for a malformed IPv6 address to get
passed into this expression:
{{{#!php
$ip_addr = inet_ntop( inet_pton( $ip_addr ) & inet_pton( $netmask ) );
}}}
The first call to inet_pton() is ''sometimes'' returning false for one of
my admins, causing their access to the wp-admin/ dashboard to hit a
critical error (as it's used by the Community Events widget). I've also
managed to have it happen while roaming with my phone, again spuriously,
implying there's some IPv6 format this isn't being sanitized beforehand.
Presently, I think it'd be best to refactor out that call into a variable,
and check for false before anding it with the netmask.
A la:
{{{#!php
$ip_addr_num = inet_pton( $ip_addr ); // Fallible call to inet_pton()
pulled out to var
if( false === $ip_addr_num ) { // Check var for (un)expected type
return '::';
}
// Rest of function continues as normal
$ip_addr = inet_ntop( $ip_addr_num & inet_pton( $netmask ) );
if( false === $ip_addr ){
return '::';
}
}}}
Here's the corresponding error log that lead me to find this bug:
{{{
PHP Fatal error: Uncaught TypeError: Unsupported operand types: bool &
string in /home/public_html/wp-includes/functions.php:8234
Stack trace:
#0 /home/public_html/wp-admin/includes/class-wp-community-events.php(273):
wp_privacy_anonymize_ip()
#1 /home/public_html/wp-includes/script-loader.php(2031):
WP_Community_Events::get_unsafe_client_ip()
#2 /home/public_html/wp-includes/class-wp-hook.php(324):
wp_localize_community_events()
#3 /home/public_html/wp-includes/class-wp-hook.php(348):
WP_Hook->apply_filters()
#4 /home/public_html/wp-includes/plugin.php(517): WP_Hook->do_action()
#5 /home/public_html/wp-admin/admin-header.php(144): do_action()
#6 /home/public_html/wp-admin/index.php(137): require_once('/home/...')
#7 {main}
thrown in /home/public_html/wp-includes/functions.php on line 8234
}}}
The hosting server is running PHP8.1, but I suspect any PHP8+ host will
trigger the same error. I never was able to capture the offending IPv6
addresses (not even when it happened to me), the host's logs don't support
logging IPv6 addresses in their access logs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63437>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list