Make WordPress Core

Opened 6 years ago

Last modified 6 months ago

#11959 new defect (bug)

Value Truncation Still Unchecked in registration.php

Reported by: miqrogroove Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Users Keywords: needs-patch
Focuses: Cc:


Functions such as username_exists() fail to perform sanity checks against the storage schema. As a result, it is possible to register multiple users with the same username, if the length is greater than or equal to the username field size. Only the first user can login, however anyone re-registering that username can impersonate the first user to reset their password.

Attachments (1)

11959.test.patch (685 bytes) - added by johnpbloch 2 years ago.
username_exists() test

Download all attachments as: .zip

Change History (9)

#1 @ryan
6 years ago

Related: #7728

#2 @nacin
6 years ago

  • Milestone changed from 2.9.3 to 3.0

Not a regression. Moving to 3.0. Can be backported if desired.

#3 @nacin
6 years ago

  • Keywords needs-patch added

#4 @ryan
6 years ago

  • Milestone changed from 3.0 to 3.1

#5 @nacin
5 years ago

  • Milestone changed from Awaiting Triage to Future Release

2 years ago

username_exists() test

#6 @johnpbloch
2 years ago

  • Cc johnpbloch@… added

This isn't really a patch (yet), but while looking into this issue I noticed that username_exists() didn't have any unit tests written yet, so I added a patch here to add such a test to the suite.

#7 @johnpbloch
2 years ago

Regarding fixing this issue, what would be the preferable way to fix it? It seems to me that username_exists() should not truncate the username to 60 characters, since that would give a false positive. It seems to me, rather, that functions like wp_insert_user() or sanitize_user() should be making this sort of check instead of username_exists(). Thoughts?

#8 @miqrogroove
6 months ago

Any chance this was fixed in [32299] or did that only affect the comments table?

Note: See TracTickets for help on using tickets.