#11775 closed defect (bug) (fixed)
in ms-edit.php, illegal_names gets updated without the slightest validation
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 3.0 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Security | Keywords: | |
Focuses: | multisite | Cc: |
Description
it just goes:
$illegal_names = split( ' ', $_POST['illegal_names'] ); foreach( (array) $illegal_names as $name ) { $name = trim( $name ); if( $name != '' ) $names[] = trim( $name ); } update_site_option( "illegal_names", $names );
aren't we missing at least some sanitization here?
also, $names should be initialized to array()
Change History (5)
#2
@
16 years ago
and banned_email_domains, and default_user_role, etc.
default_user_role should additionally check that the default role doesn't have exotic caps (see #6566)
#5
@
13 years ago
This change breaks is_email_address_unsafe()
's ability to handle domains specified via regex.
Previously, you could add a banned domain like:
/^bar[.]com$/
so that email addresses from foobar.com wouldn't get blacklisted. Now, that domain is treated as illegal input and is stripped.
Sanitizing regex is a pain. Suggested solution at #21570.
Note: See
TracTickets for help on using
tickets.
the same holds for limited_email_domains