Make WordPress Core

Changeset 34218


Ignore:
Timestamp:
09/15/2015 10:13:51 PM (9 years ago)
Author:
boonebgorges
Message:

Improve validation of user_login and user_nicename length.

The user_login field only allows 60 characters, and user_nicename allows

  1. However, there are no protections in the interface, and few in the code,

that prevent the creation of users with values in excess of these limits. Prior
to recent changes in $wpdb, users were generally created anyway, MySQL
having performed the necessary truncation. More recently, the INSERTs and
UPDATEs simply fail, with no real feedback on the nature of the failure.

This changeset addresses the issue in a number of ways:

  • On the user-new.php and network/user-new.php panels, don't allow input in excess of the maximum field length.
  • In wp_insert_user(), throw an error if the value provided for 'user_login' or 'user_nicename' exceeds the maximum field length.
  • In wp_insert_user(), when using 'user_login' to generate a default value for 'user_nicename', ensure that the nicename is properly truncated, even when suffixed for uniqueness (username-2, etc).

Props dipesh.kakadiya, utkarshpatel, tommarshall, boonebgorges.
Fixes #33793.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/network/user-new.php

    r34116 r34218  
    9090        <tr class="form-field form-required">
    9191            <th scope="row"><label for="username"><?php _e( 'Username' ) ?></label></th>
    92             <td><input type="text" class="regular-text" name="user[username]" id="username" autocapitalize="none" autocorrect="off" /></td>
     92            <td><input type="text" class="regular-text" name="user[username]" id="username" autocapitalize="none" autocorrect="off" maxlength="60" /></td>
    9393        </tr>
    9494        <tr class="form-field form-required">
  • trunk/src/wp-admin/user-new.php

    r34059 r34218  
    376376    <tr class="form-field form-required">
    377377        <th scope="row"><label for="user_login"><?php _e('Username'); ?> <span class="description"><?php _e('(required)'); ?></span></label></th>
    378         <td><input name="user_login" type="text" id="user_login" value="<?php echo esc_attr( $new_user_login ); ?>" aria-required="true" autocapitalize="none" autocorrect="off" /></td>
     378        <td><input name="user_login" type="text" id="user_login" value="<?php echo esc_attr( $new_user_login ); ?>" aria-required="true" autocapitalize="none" autocorrect="off" maxlength="60" /></td>
    379379    </tr>
    380380    <tr class="form-field form-required">
  • trunk/src/wp-includes/user-functions.php

    r34116 r34218  
    12461246    $user_login = trim( $pre_user_login );
    12471247
     1248    // user_login must be between 0 and 60 characters.
    12481249    if ( empty( $user_login ) ) {
    12491250        return new WP_Error('empty_user_login', __('Cannot create a user with an empty login name.') );
    1250     }
     1251    } elseif ( mb_strlen( $user_login ) > 60 ) {
     1252        return new WP_Error( 'user_login_too_long', __( 'Username may not be longer than 60 characters.' ) );
     1253    }
     1254
    12511255    if ( ! $update && username_exists( $user_login ) ) {
    12521256        return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) );
    12531257    }
    12541258
    1255     // If a nicename is provided, remove unsafe user characters before
    1256     // using it. Otherwise build a nicename from the user_login.
     1259    /*
     1260     * If a nicename is provided, remove unsafe user characters before using it.
     1261     * Otherwise build a nicename from the user_login.
     1262     */
    12571263    if ( ! empty( $userdata['user_nicename'] ) ) {
    12581264        $user_nicename = sanitize_user( $userdata['user_nicename'], true );
     1265        if ( mb_strlen( $user_nicename ) > 50 ) {
     1266            return new WP_Error( 'user_nicename_too_long', __( 'Nicename may not be longer than 50 characters.' ) );
     1267        }
    12591268    } else {
    1260         $user_nicename = $user_login;
     1269        $user_nicename = mb_substr( $user_login, 0, 50 );
    12611270    }
    12621271
     
    13961405        $suffix = 2;
    13971406        while ($user_nicename_check) {
    1398             $alt_user_nicename = $user_nicename . "-$suffix";
     1407            // user_nicename allows 50 chars. Subtract one for a hyphen, plus the length of the suffix.
     1408            $base_length = 49 - mb_strlen( $suffix );
     1409            $alt_user_nicename = mb_substr( $user_nicename, 0, $base_length ) . "-$suffix";
    13991410            $user_nicename_check = $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1" , $alt_user_nicename, $user_login));
    14001411            $suffix++;
  • trunk/tests/phpunit/tests/user.php

    r34125 r34218  
    573573
    574574        $this->assertSame( $user->user_nicename, $updated_user->user_nicename );
     575    }
     576
     577    /**
     578     * @ticket 33793
     579     */
     580    public function test_wp_insert_user_should_reject_user_login_over_60_characters() {
     581        $user_login = str_repeat( 'a', 61 );
     582        $u = wp_insert_user( array(
     583            'user_login' => $user_login,
     584            'user_email' => $user_login . '@example.com',
     585            'user_pass' => 'password',
     586            'user_nicename' => 'something-short',
     587        ) );
     588
     589        $this->assertWPError( $u );
     590        $this->assertSame( 'user_login_too_long', $u->get_error_code() );
     591    }
     592
     593    /**
     594     * @ticket 33793
     595     */
     596    public function test_wp_insert_user_should_reject_user_nicename_over_50_characters() {
     597        $user_nicename = str_repeat( 'a', 51 );
     598        $u = wp_insert_user( array(
     599            'user_login' => 'mynicenamehas50chars',
     600            'user_email' => $user_nicename . '@example.com',
     601            'user_pass' => 'password',
     602            'user_nicename' => $user_nicename,
     603        ) );
     604
     605        $this->assertWPError( $u );
     606        $this->assertSame( 'user_nicename_too_long', $u->get_error_code() );
     607    }
     608
     609    /**
     610     * @ticket 33793
     611     */
     612    public function test_wp_insert_user_should_not_generate_user_nicename_longer_than_50_chars() {
     613        $user_login = str_repeat( 'a', 55 );
     614        $u = wp_insert_user( array(
     615            'user_login' => $user_login,
     616            'user_email' => $user_login . '@example.com',
     617            'user_pass' => 'password',
     618        ) );
     619
     620        $this->assertNotEmpty( $u );
     621        $user = new WP_User( $u );
     622        $expected = str_repeat( 'a', 50 );
     623        $this->assertSame( $expected, $user->user_nicename );
     624    }
     625
     626    /**
     627     * @ticket 33793
     628     */
     629    public function test_wp_insert_user_should_not_truncate_to_a_duplicate_user_nicename() {
     630        $u1 = $this->factory->user->create( array(
     631            'user_nicename' => str_repeat( 'a', 50 ),
     632        ) );
     633
     634        $user_login = str_repeat( 'a', 55 );
     635        $u = wp_insert_user( array(
     636            'user_login' => $user_login,
     637            'user_email' => $user_login . '@example.com',
     638            'user_pass' => 'password',
     639        ) );
     640
     641        $this->assertNotEmpty( $u );
     642        $user = new WP_User( $u );
     643        $expected = str_repeat( 'a', 48 ) . '-2';
     644        $this->assertSame( $expected, $user->user_nicename );
     645    }
     646
     647    /**
     648     * @ticket 33793
     649     */
     650    public function test_wp_insert_user_should_not_truncate_to_a_duplicate_user_nicename_when_suffix_has_more_than_one_character() {
     651        $users = $this->factory->user->create_many( 9, array(
     652            'user_nicename' => str_repeat( 'a', 50 ),
     653        ) );
     654
     655        $user_login = str_repeat( 'a', 55 );
     656        $u = wp_insert_user( array(
     657            'user_login' => $user_login,
     658            'user_email' => $user_login . '@example.com',
     659            'user_pass' => 'password',
     660        ) );
     661
     662        $this->assertNotEmpty( $u );
     663        $user = new WP_User( $u );
     664        $expected = str_repeat( 'a', 47 ) . '-10';
     665        $this->assertSame( $expected, $user->user_nicename );
    575666    }
    576667
Note: See TracChangeset for help on using the changeset viewer.