From 504d02539f38d4b216a552ba94690a7217fd9227 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Thu, 9 Jan 2025 19:43:23 +0000 Subject: [PATCH] Login and Registration: Check that the `$_POST` values are strings in `wp_signon()`. This prevents a fatal error from `trim()` via `wp_authenticate()` if an array is passed instead. Follow-up to [6643], [58093]. Props leedxw, audrasjb, SergeyBiryukov. Fixes #62794. Built from https://develop.svn.wordpress.org/trunk@59595 git-svn-id: http://core.svn.wordpress.org/trunk@58981 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/user.php | 4 ++-- wp-includes/version.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/wp-includes/user.php b/wp-includes/user.php index f60dbe5d3f..6222e932a9 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -48,10 +48,10 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) { 'remember' => false, ); - if ( ! empty( $_POST['log'] ) ) { + if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) { $credentials['user_login'] = wp_unslash( $_POST['log'] ); } - if ( ! empty( $_POST['pwd'] ) ) { + if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) { $credentials['user_password'] = $_POST['pwd']; } if ( ! empty( $_POST['rememberme'] ) ) { diff --git a/wp-includes/version.php b/wp-includes/version.php index 30b5520349..e04ca9d679 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.8-alpha-59594'; +$wp_version = '6.8-alpha-59595'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.