TypeError: json_decode() in lib/wfConfig.php(545)

I recently face TypeError’s with the plugin, when a login is blocked as brute force attempt and tried to be logged, it seems. I suspect this being the case since I upgraded to PHP8.1, though it seems to be a bug in the code independently:

Error message: Uncaught TypeError: json_decode(): Argument #1 ($json) must be of type string, array given in /var/www/blog/wp-content/plugins/wordfence/lib/wfConfig.php:545
Stack trace:
#0 /var/www/blog/wp-content/plugins/wordfence/lib/wfConfig.php(545): json_decode()
#1 /var/www/blog/wp-content/plugins/wordfence/lib/wfUtils.php(1730): wfConfig::getJSON()
#2 /var/www/blog/wp-content/plugins/wordfence/lib/wfUtils.php(1615): wfUtils::check_and_log_last_error()
#3 /var/www/blog/wp-content/plugins/wordfence/lib/wfActivityReport.php(448): wfUtils::IP2Country()
#4 /var/www/blog/wp-content/plugins/wordfence/lib/wordfenceClass.php(3108): wfActivityReport::logBlockedIP()
#5 /var/www/blog/wp-content/plugins/wordfence/lib/wordfenceClass.php(3126): wordfence::checkSecurityNetwork()
#6 /var/www/blog/wp-content/plugins/wordfence/lib/wordfenceClass.php(3098): wordfence::processBruteForceAttempt()
#7 /var/www/blog/wp-includes/class-wp-hook.php(303): wordfence::authenticateFilter()
#8 /var/www/blog/wp-includes/plugin.php(189): WP_Hook->apply_filters()
#9 /var/www/blog/wp-includes/pluggable.php(593): apply_filters()
#10 /var/www/blog/wp-includes/user.php(95): wp_authenticate()
#11 /var/www/blog/wp-login.php(1142): wp_signon()
#12 {main}

In lib/wfConfig.php(545), the declared function is:

getJSON($key, $default = false, $allowCached = true)

It hence expects up to three arguments, the second being an optional default JSON to return. In lib/wfUtils.php(1730) however it is called like this:

wfConfig::getJSON($previousKey, array(0, false));

Hence as second argument is an array and no JSON, which then causes the type error in json_decode. Based on other getJSON calls in the code, it is intended that the second argument is/can be an array, and if json_decode returns null, it is also returned directly, where a decoded array is expected. But the same cannot be used as input to json_decode, or course. In the get function where the JSON string is derived, I changed:

return $default

to

return @json_encode($default);

as a quick and dirty solution so that the default is passed as JSON string into json_decode, but as array when json_decode returns null. This back and forth however doesn’t look nice and probably it makes more sense to change the get function to return null instead of $default so that the input array is always returned directly without back and forth decoding/encoding:

                if (!self::$tableExists) {
                        return null;
                }

                $table = self::table();
                if (!($option = $wpdb->get_row($wpdb->prepare("SELECT name, val, autoload FROM {$table} WHERE name = %s", $key)))) {
                        return null;
                }

Best regards,

Micha

• This topic was modified 4 years, 4 months ago by Micha. Reason: Found further info about how getJSON is intended to be used
• This topic was modified 4 years, 4 months ago by Micha.
• This topic was modified 4 years, 4 months ago by Micha.