Login and Registration: Check that the $_POST values are strings in…

… `wp_signon()`. This prevents a fatal error from `trim()` via `wp_authenticate()` if an array is passed instead. Follow-up to [6643], [58093]. Props leedxw, audrasjb, SergeyBiryukov. Fixes #62794. git-svn-id: https://develop.svn.wordpress.org/trunk@59595 602fd350-edb4-49c9-b593-d223f7449a82
draganescu · Jan 9, 2025 · a48e180 · a48e180
1 parent c53397d
commit a48e180
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
@@ -48,10 +48,10 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) {
 			'remember'      => false,
 		);
 
-		if ( ! empty( $_POST['log'] ) ) {
+		if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) {
 			$credentials['user_login'] = wp_unslash( $_POST['log'] );
 		}
-		if ( ! empty( $_POST['pwd'] ) ) {
+		if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) {
 			$credentials['user_password'] = $_POST['pwd'];
 		}
 		if ( ! empty( $_POST['rememberme'] ) ) {

diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
@@ -634,6 +634,28 @@ public function test_wp_signon_does_not_throw_deprecation_notices_with_default_p
 		$this->assertContains( 'empty_password', $error_codes, 'The "empty_password" error code should be present.' );
 	}
 
+	/**
+	 * Tests that a warning or a fatal error is not thrown when the login or password
+	 * passed via `$_POST` is an array instead of a string.
+	 *
+	 * The messages that we should not see:
+	 * `Warning: wp_strip_all_tags() expects parameter #1 ($text) to be a string, array given`.
+	 * `TypeError: trim(): Argument #1 ($string) must be of type string, array given`.
+	 *
+	 * @ticket 62794
+	 */
+	public function test_wp_signon_does_not_throw_fatal_errors_with_array_parameters() {
+		$_POST['log'] = array( 'example' );
+		$_POST['pwd'] = array( 'example' );
+
+		$error = wp_signon();
+		$this->assertWPError( $error, 'The result should be an instance of WP_Error.' );
+
+		$error_codes = $error->get_error_codes();
+		$this->assertContains( 'empty_username', $error_codes, 'The "empty_username" error code should be present.' );
+		$this->assertContains( 'empty_password', $error_codes, 'The "empty_password" error code should be present.' );
+	}
+
 	/**
 	 * HTTP Auth headers are used to determine the current user.
 	 *