Context Navigation

← Previous Change
Next Change →

user.php

Timestamp:

09/11/2015 02:24:03 AM (10 years ago)

Author:

boonebgorges

Message:

Require numeric IDs in user deletion functions.

wp_delete_user() and wpmu_delete_user() both require an $id parameter.
Previously, the functions did not verify that the value passed was, in fact,
a number. As such, passing an object or any other entity that would be cast
to int 1 would result in user 1 being deleted. We fix this by enforcing
the requirement that $id be numeric.

Props dipesh.kakadiya, utkarshpatel, juliobox.
Fixes #33800.

File:

: 1 edited

trunk/src/wp-admin/includes/user.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/wp-admin/includes/user.php

-                      r34021
+                      r34034
 function wp_delete_user( $id, $reassign = null ) {
     global $wpdb;
+    if ( ! is_numeric( $id ) ) {
+        return false;
+    }
     $id = (int) $id;

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 34034 for trunk/src/wp-admin/includes/user.php

Legend:

trunk/src/wp-admin/includes/user.php

Download in other formats: