Make WordPress Core

Opened 11 years ago

Closed 21 months ago

Last modified 18 months ago

#11959 closed defect (bug) (worksforme)

Value Truncation Still Unchecked in registration.php

Reported by: miqrogroove Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords: needs-patch bulk-reopened
Focuses: Cc:


Functions such as username_exists() fail to perform sanity checks against the storage schema. As a result, it is possible to register multiple users with the same username, if the length is greater than or equal to the username field size. Only the first user can login, however anyone re-registering that username can impersonate the first user to reset their password.

Attachments (1)

11959.test.patch (685 bytes) - added by johnpbloch 7 years ago.
username_exists() test

Download all attachments as: .zip

Change History (10)

#1 @ryan
11 years ago

Related: #7728

#2 @nacin
11 years ago

  • Milestone changed from 2.9.3 to 3.0

Not a regression. Moving to 3.0. Can be backported if desired.

#3 @nacin
11 years ago

  • Keywords needs-patch added

#4 @ryan
11 years ago

  • Milestone changed from 3.0 to 3.1

#5 @nacin
10 years ago

  • Milestone changed from Awaiting Triage to Future Release

7 years ago

username_exists() test

#6 @johnpbloch
7 years ago

  • Cc johnpbloch@… added

This isn't really a patch (yet), but while looking into this issue I noticed that username_exists() didn't have any unit tests written yet, so I added a patch here to add such a test to the suite.

#7 @johnpbloch
7 years ago

Regarding fixing this issue, what would be the preferable way to fix it? It seems to me that username_exists() should not truncate the username to 60 characters, since that would give a false positive. It seems to me, rather, that functions like wp_insert_user() or sanitize_user() should be making this sort of check instead of username_exists(). Thoughts?

#8 @miqrogroove
5 years ago

Any chance this was fixed in [32299] or did that only affect the comments table?

#11 @noisysocks
21 months ago

  • Keywords bulk-reopened added
  • Resolution set to worksforme
  • Status changed from new to closed

I tested this in trunk and was unable to create a user with a username longer than 60 characters. Closing this as it looks like it was fixed inadvertently by [32299].

Last edited 21 months ago by noisysocks (previous) (diff)
Note: See TracTickets for help on using tickets.