Login and Registration: Check that the $_POST values are strings in wp_signon().

SergeyBiryukov · SergeyBiryukov · commit a48e1806f767 · 2025-01-09T19:41:47.000Z
This prevents a fatal error from `trim()` via `wp_authenticate()` if an array is passed instead. Follow-up to [6643], [58093]. Props leedxw, audrasjb, SergeyBiryukov. Fixes #62794. git-svn-id: https://develop.svn.wordpress.org/trunk@59595 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
@@ -48,10 +48,10 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) {
 			'remember'      => false,
 		);
 
-		if ( ! empty( $_POST['log'] ) ) {
+		if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) {
 			$credentials['user_login'] = wp_unslash( $_POST['log'] );
 		}
-		if ( ! empty( $_POST['pwd'] ) ) {
+		if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) {
 			$credentials['user_password'] = $_POST['pwd'];
 		}
 		if ( ! empty( $_POST['rememberme'] ) ) {
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
@@ -634,6 +634,28 @@ public function test_wp_signon_does_not_throw_deprecation_notices_with_default_p
 		$this->assertContains( 'empty_password', $error_codes, 'The "empty_password" error code should be present.' );
 	}
 
+	/**
+	 * Tests that a warning or a fatal error is not thrown when the login or password
+	 * passed via `$_POST` is an array instead of a string.
+	 *
+	 * The messages that we should not see:
+	 * `Warning: wp_strip_all_tags() expects parameter #1 ($text) to be a string, array given`.
+	 * `TypeError: trim(): Argument #1 ($string) must be of type string, array given`.
+	 *
+	 * @ticket 62794
+	 */
+	public function test_wp_signon_does_not_throw_fatal_errors_with_array_parameters() {
+		$_POST['log'] = array( 'example' );
+		$_POST['pwd'] = array( 'example' );
+
+		$error = wp_signon();
+		$this->assertWPError( $error, 'The result should be an instance of WP_Error.' );
+
+		$error_codes = $error->get_error_codes();
+		$this->assertContains( 'empty_username', $error_codes, 'The "empty_username" error code should be present.' );
+		$this->assertContains( 'empty_password', $error_codes, 'The "empty_password" error code should be present.' );
+	}
+
 	/**
 	 * HTTP Auth headers are used to determine the current user.
 	 *

Original file line number	Diff line number	Diff line change
`@@ -48,10 +48,10 @@ function wp_signon( $credentials = array(), $secure_cookie = '' ) {`
`48`	`48`	`'remember' => false,`
`49`	`49`	`);`
`50`	`50`
`51`		`- if ( ! empty( $_POST['log'] ) ) {`
	`51`	`+ if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) {`
`52`	`52`	`$credentials['user_login'] = wp_unslash( $_POST['log'] );`
`53`	`53`	`}`
`54`		`- if ( ! empty( $_POST['pwd'] ) ) {`
	`54`	`+ if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) {`
`55`	`55`	`$credentials['user_password'] = $_POST['pwd'];`
`56`	`56`	`}`
`57`	`57`	`if ( ! empty( $_POST['rememberme'] ) ) {`