Fatal errors triggered by bad lat/lng values

[leedxw]

We are seeing attackers putting bad values in requests, like &lat=51.5613&lat=%27&lng=-1.7857&

This is triggering fatal errors on geo-my-wp 4.5.2

PHP Fatal error:  Uncaught TypeError: Unsupported operand types: string - float in /var/www/html/wp-content/plugins/geo-my-wp/plugins/posts-locator/includes/class-gmw-wp-query.php:309

I assume it would be safe to immediately restrict the values for lat lng to float?

diff --git a/includes/class-gmw-location.php b/includes/class-gmw-location.php
index 8fc5b56d..4cb8e290 100644
--- a/includes/class-gmw-location.php
+++ b/includes/class-gmw-location.php
@@ -1264,8 +1264,8 @@ class GMW_Location {
                                 *
                                 * The query instead of running multiple prepares.
                                 */
-                               $lat = esc_sql( $args['lat'] );
-                               $lng = esc_sql( $args['lng'] );
+                               $lat = (float) esc_sql( $args['lat'] );
+                               $lng = (float) esc_sql( $args['lng'] );
 
                                $clauses['distance'] = ", ROUND( {$earth_radius} * acos( cos( radians( {$lat} ) ) * cos( radians( gmw_locations.latitude ) ) * cos( radians( gmw_locations.longitude ) - radians( {$lng} ) ) + sin( radians( {$lat} ) ) * sin( radians( gmw_locations.latitude ) ) ),1 ) AS distance";
 
diff --git a/plugins/members-locator/includes/class-gmw-members-locator-form.php b/plugins/members-locator/includes/class-gmw-members-locator-form.php
index 500e4ccf..cec92b1b 100644
--- a/plugins/members-locator/includes/class-gmw-members-locator-form.php
+++ b/plugins/members-locator/includes/class-gmw-members-locator-form.php
@@ -86,8 +86,8 @@ trait GMW_Members_Locator_Form_Trait {
 
                        // since these values are repeatable, we escape them previous
                        // the query instead of running multiple prepares.
-                       $lat          = esc_sql( $this->form['lat'] );
-                       $lng          = esc_sql( $this->form['lng'] );
+                       $lat          = (float) esc_sql( $this->form['lat'] );
+                       $lng          = (float) esc_sql( $this->form['lng'] );
                        $distance     = ! empty( $this->form['radius'] ) ? esc_sql( $this->form['radius'] ) : '';
                        $distance_sql = "ROUND( {$earth_radius} * acos( cos( radians( {$lat} ) ) * cos( radians( gmw_locations.latitude ) ) * cos( radians( gmw_locations.longitude ) - radians( {$lng} ) ) + sin( radians( {$lat} ) ) * sin( radians( gmw_locations.latitude ) ) ),1 ) AS distance";
 
diff --git a/plugins/posts-locator/includes/class-gmw-wp-query.php b/plugins/posts-locator/includes/class-gmw-wp-query.php
index 9ca3dc91..98956a7e 100644
--- a/plugins/posts-locator/includes/class-gmw-wp-query.php
+++ b/plugins/posts-locator/includes/class-gmw-wp-query.php
@@ -296,8 +296,8 @@ class GMW_WP_Query extends WP_Query {
 
                        // since these values are repeatable, we escape them previous
                        // the query instead of running multiple prepares.
-                       $lat          = esc_sql( $args['gmw_lat'] );
-                       $lng          = esc_sql( $args['gmw_lng'] );
+                       $lat          = (float) esc_sql( $args['gmw_lat'] );
+                       $lng          = (float) esc_sql( $args['gmw_lng'] );
                        $distance     = ! empty( $args['gmw_radius'] ) ? esc_sql( $args['gmw_radius'] ) : '';
                        $distance_sql = "ROUND( {$earth_radius} * acos( cos( radians( {$lat} ) ) * cos( radians( gmw_locations.latitude ) ) * cos( radians( gmw_locations.longitude ) - radians( {$lng} ) ) + sin( radians( {$lat} ) ) * sin( radians( gmw_locations.latitude ) ) ),1 ) AS distance";