Make WordPress Core


Ignore:
Timestamp:
10/06/2017 05:36:12 PM (7 years ago)
Author:
SergeyBiryukov
Message:

Login and Registration: Prevent PHP warnings when POSTing to wp-login.php with an array as a user_login or user_email field.

Props menakas, johnjamesjacoby.
Fixes #40888.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-login.php

    r41692 r41782  
    299299    $errors = new WP_Error();
    300300
    301     if ( empty( $_POST['user_login'] ) ) {
     301    if ( empty( $_POST['user_login'] ) || ! is_string( $_POST['user_login'] ) ) {
    302302        $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or email address.'));
    303303    } elseif ( strpos( $_POST['user_login'], '@' ) ) {
     
    566566    login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or email address. You will receive a link to create a new password via email.') . '</p>', $errors);
    567567
    568     $user_login = isset($_POST['user_login']) ? wp_unslash($_POST['user_login']) : '';
     568    $user_login = '';
     569
     570    if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
     571        $user_login = wp_unslash( $_POST['user_login'] );
     572    }
    569573
    570574?>
     
    758762    $user_login = '';
    759763    $user_email = '';
     764
    760765    if ( $http_post ) {
    761         $user_login = isset( $_POST['user_login'] ) ? $_POST['user_login'] : '';
    762         $user_email = isset( $_POST['user_email'] ) ? wp_unslash( $_POST['user_email'] ) : '';
     766        if ( isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ) {
     767            $user_login = $_POST['user_login'];
     768        }
     769
     770        if ( isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ) {
     771            $user_email = wp_unslash( $_POST['user_email'] );
     772        }
     773
    763774        $errors = register_new_user($user_login, $user_email);
    764775        if ( !is_wp_error($errors) ) {
Note: See TracChangeset for help on using the changeset viewer.