Make WordPress Core


Ignore:
Timestamp:
01/27/2021 07:03:42 PM (4 years ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Improve validation and sanitization of the application name.

Application names are now required to be unique and cannot contain solely whitespace characters. Additionally, invalid characters are now stripped from the application name using sanitize_text_field().

Props Boniu91, hellofromTonya, engahmeds3ed, xkon, francina.
Fixes #51941.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-application-passwords.php

    r49787 r50030  
    5959     *
    6060     * @since 5.6.0
     61     * @since 5.7.0 Returns WP_Error if application name already exists.
    6162     *
    6263     * @param int   $user_id  User ID.
     
    6667     */
    6768    public static function create_new_application_password( $user_id, $args = array() ) {
     69        if ( ! empty( $args['name'] ) ) {
     70            $args['name'] = sanitize_text_field( $args['name'] );
     71        }
     72
    6873        if ( empty( $args['name'] ) ) {
    69             return new WP_Error( 'application_password_empty_name', __( 'An application name is required to create an application password.' ) );
     74            return new WP_Error( 'application_password_empty_name', __( 'An application name is required to create an application password.' ), array( 'status' => 400 ) );
     75        }
     76
     77        if ( self::application_name_exists_for_user( $user_id, $args['name'] ) ) {
     78            return new WP_Error( 'application_password_duplicate_name', __( 'Each application name should be unique.' ), array( 'status' => 409 ) );
    7079        }
    7180
     
    164173
    165174    /**
     175     * Check if application name exists before for this user.
     176     *
     177     * @since 5.7.0
     178     *
     179     * @param int    $user_id User ID.
     180     * @param string $name    Application name.
     181     *
     182     * @return bool Provided application name exists or not.
     183     */
     184    public static function application_name_exists_for_user( $user_id, $name ) {
     185        $passwords = static::get_user_application_passwords( $user_id );
     186
     187        foreach ( $passwords as $password ) {
     188            if ( strtolower( $password['name'] ) === strtolower( $name ) ) {
     189                return true;
     190            }
     191        }
     192
     193        return false;
     194    }
     195
     196    /**
    166197     * Updates an application password.
    167198     *
     
    179210            if ( $item['uuid'] !== $uuid ) {
    180211                continue;
     212            }
     213
     214            if ( ! empty( $update['name'] ) ) {
     215                $update['name'] = sanitize_text_field( $update['name'] );
    181216            }
    182217
Note: See TracChangeset for help on using the changeset viewer.