Fatal errors triggered by bad lat/lng values #81
Description
We are seeing attackers putting bad values in requests, like &lat=51.5613&lat=%27&lng=-1.7857&
This is triggering fatal errors on geo-my-wp 4.5.2
PHP Fatal error: Uncaught TypeError: Unsupported operand types: string - float in /var/www/html/wp-content/plugins/geo-my-wp/plugins/posts-locator/includes/class-gmw-wp-query.php:309
I assume it would be safe to immediately restrict the values for lat lng to float?
diff --git a/includes/class-gmw-location.php b/includes/class-gmw-location.php
index 8fc5b56d..4cb8e290 100644
--- a/includes/class-gmw-location.php
+++ b/includes/class-gmw-location.php
@@ -1264,8 +1264,8 @@ class GMW_Location {
*
* The query instead of running multiple prepares.
*/
- $lat = esc_sql( $args['lat'] );
- $lng = esc_sql( $args['lng'] );
+ $lat = (float) esc_sql( $args['lat'] );
+ $lng = (float) esc_sql( $args['lng'] );
$clauses['distance'] = ", ROUND( {$earth_radius} * acos( cos( radians( {$lat} ) ) * cos( radians( gmw_locations.latitude ) ) * cos( radians( gmw_locations.longitude ) - radians( {$lng} ) ) + sin( radians( {$lat} ) ) * sin( radians( gmw_locations.latitude ) ) ),1 ) AS distance";
diff --git a/plugins/members-locator/includes/class-gmw-members-locator-form.php b/plugins/members-locator/includes/class-gmw-members-locator-form.php
index 500e4ccf..cec92b1b 100644
--- a/plugins/members-locator/includes/class-gmw-members-locator-form.php
+++ b/plugins/members-locator/includes/class-gmw-members-locator-form.php
@@ -86,8 +86,8 @@ trait GMW_Members_Locator_Form_Trait {
// since these values are repeatable, we escape them previous
// the query instead of running multiple prepares.
- $lat = esc_sql( $this->form['lat'] );
- $lng = esc_sql( $this->form['lng'] );
+ $lat = (float) esc_sql( $this->form['lat'] );
+ $lng = (float) esc_sql( $this->form['lng'] );
$distance = ! empty( $this->form['radius'] ) ? esc_sql( $this->form['radius'] ) : '';
$distance_sql = "ROUND( {$earth_radius} * acos( cos( radians( {$lat} ) ) * cos( radians( gmw_locations.latitude ) ) * cos( radians( gmw_locations.longitude ) - radians( {$lng} ) ) + sin( radians( {$lat} ) ) * sin( radians( gmw_locations.latitude ) ) ),1 ) AS distance";
diff --git a/plugins/posts-locator/includes/class-gmw-wp-query.php b/plugins/posts-locator/includes/class-gmw-wp-query.php
index 9ca3dc91..98956a7e 100644
--- a/plugins/posts-locator/includes/class-gmw-wp-query.php
+++ b/plugins/posts-locator/includes/class-gmw-wp-query.php
@@ -296,8 +296,8 @@ class GMW_WP_Query extends WP_Query {
// since these values are repeatable, we escape them previous
// the query instead of running multiple prepares.
- $lat = esc_sql( $args['gmw_lat'] );
- $lng = esc_sql( $args['gmw_lng'] );
+ $lat = (float) esc_sql( $args['gmw_lat'] );
+ $lng = (float) esc_sql( $args['gmw_lng'] );
$distance = ! empty( $args['gmw_radius'] ) ? esc_sql( $args['gmw_radius'] ) : '';
$distance_sql = "ROUND( {$earth_radius} * acos( cos( radians( {$lat} ) ) * cos( radians( gmw_locations.latitude ) ) * cos( radians( gmw_locations.longitude ) - radians( {$lng} ) ) + sin( radians( {$lat} ) ) * sin( radians( gmw_locations.latitude ) ) ),1 ) AS distance";