WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 7 years ago

#11775 closed defect (bug) (fixed)

in ms-edit.php, illegal_names gets updated without the slightest validation

Reported by: Denis-de-Bernardy Owned by: ryan
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Security Keywords:
Focuses: multisite Cc:
PR Number:

Description

it just goes:

		$illegal_names = split( ' ', $_POST['illegal_names'] );
		foreach( (array) $illegal_names as $name ) {
			$name = trim( $name );
			if( $name != '' )
				$names[] = trim( $name );
		}
		update_site_option( "illegal_names", $names );

aren't we missing at least some sanitization here?

also, $names should be initialized to array()

Change History (5)

#1 @Denis-de-Bernardy
10 years ago

the same holds for limited_email_domains

#2 @Denis-de-Bernardy
10 years ago

and banned_email_domains, and default_user_role, etc.

default_user_role should additionally check that the default role doesn't have exotic caps (see #6566)

#3 @nacin
10 years ago

  • Keywords multisite added

#4 @wpmuguru
10 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [13447]) sanitize domains in ms-options, fixes #11775

#5 @mdawaffe
7 years ago

This change breaks is_email_address_unsafe()'s ability to handle domains specified via regex.

Previously, you could add a banned domain like:

/^bar[.]com$/

so that email addresses from foobar.com wouldn't get blacklisted. Now, that domain is treated as illegal input and is stripped.

Sanitizing regex is a pain. Suggested solution at #21570.

Note: See TracTickets for help on using tickets.