Make WordPress Core

Opened 6 years ago

Last modified 4 months ago

#11959 new defect (bug)

Value Truncation Still Unchecked in registration.php

Reported by: miqrogroove Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Users Keywords: needs-patch
Focuses: Cc:


Functions such as username_exists() fail to perform sanity checks against the storage schema. As a result, it is possible to register multiple users with the same username, if the length is greater than or equal to the username field size. Only the first user can login, however anyone re-registering that username can impersonate the first user to reset their password.

Attachments (1)

11959.test.patch (685 bytes) - added by johnpbloch 2 years ago.
username_exists() test

Download all attachments as: .zip

Change History (9)

comment:1 @ryan6 years ago

Related: #7728

comment:2 @nacin5 years ago

  • Milestone changed from 2.9.3 to 3.0

Not a regression. Moving to 3.0. Can be backported if desired.

comment:3 @nacin5 years ago

  • Keywords needs-patch added

comment:4 @ryan5 years ago

  • Milestone changed from 3.0 to 3.1

comment:5 @nacin5 years ago

  • Milestone changed from Awaiting Triage to Future Release

@johnpbloch2 years ago

username_exists() test

comment:6 @johnpbloch2 years ago

  • Cc johnpbloch@… added

This isn't really a patch (yet), but while looking into this issue I noticed that username_exists() didn't have any unit tests written yet, so I added a patch here to add such a test to the suite.

comment:7 @johnpbloch2 years ago

Regarding fixing this issue, what would be the preferable way to fix it? It seems to me that username_exists() should not truncate the username to 60 characters, since that would give a false positive. It seems to me, rather, that functions like wp_insert_user() or sanitize_user() should be making this sort of check instead of username_exists(). Thoughts?

comment:8 @miqrogroove4 months ago

Any chance this was fixed in [32299] or did that only affect the comments table?

Note: See TracTickets for help on using tickets.