#11775 closed defect (bug) (fixed)
in ms-edit.php, illegal_names gets updated without the slightest validation
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.0 | Priority: | normal |
| Severity: | normal | Version: | 3.0 |
| Component: | Security | Keywords: | |
| Focuses: | multisite | Cc: |
Description
it just goes:
$illegal_names = split( ' ', $_POST['illegal_names'] );
foreach( (array) $illegal_names as $name ) {
$name = trim( $name );
if( $name != '' )
$names[] = trim( $name );
}
update_site_option( "illegal_names", $names );
aren't we missing at least some sanitization here?
also, $names should be initialized to array()
Change History (5)
comment:2
Denis-de-Bernardy
— 4 years ago
and banned_email_domains, and default_user_role, etc.
default_user_role should additionally check that the default role doesn't have exotic caps (see #6566)
comment:5
mdawaffe
— 19 months ago
This change breaks is_email_address_unsafe()'s ability to handle domains specified via regex.
Previously, you could add a banned domain like:
/^bar[.]com$/
so that email addresses from foobar.com wouldn't get blacklisted. Now, that domain is treated as illegal input and is stripped.
Sanitizing regex is a pain. Suggested solution at #21570.
Note: See
TracTickets for help on using
tickets.
the same holds for limited_email_domains