#16740 closed defect (bug) (fixed)
Calling wpmu_delete_blog with $blog_id delete all database tables
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.3 |
| Component: | Multisite | Version: | 3.1 |
| Severity: | major | Keywords: | |
| Cc: |
Description
When calling the wpmu_delete_blog function with a blog_id of 1, get_blog_prefix called by this function returns a dangerous (for the delete purpose) prefix (i.e. 'wp\_%', assuming the installation prefix was 'wp_').
Since tables returned by "SHOW TABLES LIKE 'wp\_%'" are deleted, all the Wordpress tables are destroyed.
Of course, the backoffice doesn't allow an admin to delete the blog 1, but it might be a safe idea to prevent this by checking that $blog_id passed to wpmu_delete_blog is never 0 or 1 since any plugin can call it with a wrong parameter.
Attachments (2)
Change History (10)
Thanks for reporting the issue, patch added to ensure the vartype of $blog_id is integer while performing the same check as in wpmu_delete_blog.patch.
Older MU installs will have a wp_1_* prefix for blog ID 1. These patches would prevent deleting that blog even though it isn't dangerous. Probably not worth caring about, however.
comment:7
wonderboymusic — 8 months ago
- Keywords has-patch removed
- Milestone Awaiting Review deleted
- Resolution set to fixed
- Status changed from new to closed
fixed in [19038]
Sounds like a good idea.
PS: We call the backoffice the admin area. ;)