Make WordPress Core

Changeset 34034


Ignore:
Timestamp:
09/11/2015 02:24:03 AM (9 years ago)
Author:
boonebgorges
Message:

Require numeric IDs in user deletion functions.

wp_delete_user() and wpmu_delete_user() both require an $id parameter.
Previously, the functions did not verify that the value passed was, in fact,
a number. As such, passing an object or any other entity that would be cast
to int 1 would result in user 1 being deleted. We fix this by enforcing
the requirement that $id be numeric.

Props dipesh.kakadiya, utkarshpatel, juliobox.
Fixes #33800.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ms.php

    r34026 r34034  
    185185function wpmu_delete_user( $id ) {
    186186    global $wpdb;
     187
     188    if ( ! is_numeric( $id ) ) {
     189        return false;
     190    }
    187191
    188192    $id = (int) $id;
  • trunk/src/wp-admin/includes/user.php

    r34021 r34034  
    273273function wp_delete_user( $id, $reassign = null ) {
    274274    global $wpdb;
     275
     276    if ( ! is_numeric( $id ) ) {
     277        return false;
     278    }
    275279
    276280    $id = (int) $id;
  • trunk/tests/phpunit/tests/user/multisite.php

    r33771 r34034  
    345345    }
    346346
     347    public function test_numeric_string_user_id() {
     348        $u = $this->factory->user->create();
     349
     350        $u_string = (string) $u;
     351        $this->assertTrue( wpmu_delete_user( $u_string ) );
     352        $this->assertFalse( get_user_by( 'id', $u ) );
     353    }
     354
     355    /**
     356     * @ticket 33800
     357     */
     358    public function test_should_return_false_for_non_numeric_string_user_id() {
     359        $this->assertFalse( wpmu_delete_user( 'abcde' ) );
     360    }
     361
     362    /**
     363     * @ticket 33800
     364     */
     365    public function test_should_return_false_for_object_user_id() {
     366        $u_obj = $this->factory->user->create_and_get();
     367        $this->assertFalse( wpmu_delete_user( $u_obj ) );
     368        $this->assertEquals( $u_obj->ID, username_exists( $u_obj->user_login ) );
     369    }
    347370}
    348371
  • trunk/tests/phpunit/tests/user/wpDeleteUser.php

    r34033 r34034  
    126126        $this->assertEquals( $reassign, $post->post_author );
    127127    }
     128
     129    public function test_numeric_string_user_id() {
     130        if ( is_multisite() ) {
     131            $this->markTestSkipped( 'wp_delete_user() does not delete user records in Multisite.' );
     132        }
     133
     134        $u = $this->factory->user->create();
     135
     136        $u_string = (string) $u;
     137        $this->assertTrue( wp_delete_user( $u_string ) );
     138        $this->assertFalse( get_user_by( 'id', $u ) );
     139    }
     140
     141    /**
     142     * @group 33800
     143     */
     144    public function test_should_return_false_for_non_numeric_string_user_id() {
     145        $this->assertFalse( wp_delete_user( 'abcde' ) );
     146    }
     147
     148    /**
     149     * @group 33800
     150     */
     151    public function test_should_return_false_for_object_user_id() {
     152        if ( is_multisite() ) {
     153            $this->markTestSkipped( 'wp_delete_user() does not delete user records in Multisite.' );
     154        }
     155
     156        $u_obj = $this->factory->user->create_and_get();
     157        $this->assertFalse( wp_delete_user( $u_obj ) );
     158        $this->assertEquals( $u_obj->ID, username_exists( $u_obj->user_login ) );
     159    }
    128160}
Note: See TracChangeset for help on using the changeset viewer.