WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#10454 closed enhancement (fixed)

Add support for setting users_can_register option via XML-RPC and sanitize the option value

Reported by: josephscott Owned by: westi
Milestone: 2.9 Priority: normal
Severity: normal Version: 2.8.1
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

I looked at adding support to manage the users_can_register ('Membership') option via XML-RPC (using the existing wp.setOptions method) and found that the users_can_register value wasn't being sanitized. There was also a problem with wp.setOptions not working if the value of the option evaluated to false with the empty() function.

So first up, I have a patch to xmlrpc.php that adds support for managing the users_can_register option and removes the empty() check on the option value.

Second is a patch to the sanitize_option() function that makes sure that the value for the users_can_register option is an integer. Under normal situations this limits the value to either zero or one.

Attachments (3)

xmlrpc.php.diff (666 bytes) - added by josephscott 6 years ago.
wp-includes--formatting.php.diff (412 bytes) - added by josephscott 6 years ago.
wp-includes--formatting.php.2.diff (447 bytes) - added by josephscott 6 years ago.

Download all attachments as: .zip

Change History (7)

@josephscott6 years ago

comment:1 @josephscott6 years ago

Westi pointed out that there really is no reason not to use absint() here instead, since the two legal values we are talking about are zero and one. This new patch puts 'users_can_register' into the same case block for other absolute integers and replaces the abs((int) *) approach with a call to absint().

comment:2 @westi6 years ago

  • Owner changed from josephscott to westi
  • Status changed from new to reviewing

comment:3 @westi6 years ago

(In [11772]) Ensure that users_can_register is sanitised correctly. See #10454 props josephscott.

comment:4 @westi6 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

(In [11773]) Allow user registration to be enabled by an XMLRPC client. Fixes #10454 props josephscott.

Note: See TracTickets for help on using tickets.