Opened 11 years ago
Closed 9 years ago
#26784 closed defect (bug) (fixed)
User registration on multisite: don't allow usernames to be >60 characters long.
Reported by: | DJPaul | Owned by: | jeremyfelt |
---|---|---|---|
Milestone: | 4.3 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Login and Registration | Keywords: | has-patch |
Focuses: | multisite | Cc: |
Description
In wpmu_validate_user_signup()
at the "has someone already signed up for this username?" check, it doesn't work as expected in situations where $wpdb->signups
has truncated a new record's user_login
value down to its maximum column size (which is 60 characters). The check will never match any records where the new username is >60 characters.
To recreate on multisite:
- Register a new user account with a 60-character long username via
wp-login.php?action=register
. - Activate the account via link provided in email, and log in.
- Everything should work as expected. Log out.
- Register another new user account; use a different email address. Use the same username as previously, but add at least 1 extra character to the end of it.
- It will accept this username, though you'll be unable to activate the account. It will say that it's already been activated; look at the record in the
wp_signups
table and see thatuser_login
has been truncated to the first 60 characters of the string you provided.
The attached patch adds a new validation check to wpmu_validate_user_signup()
which rejects the username if it's >60 characters.
Attachments (1)
Change History (11)
#1
@
11 years ago
- Keywords has-patch needs-testing added
- Milestone changed from Awaiting Review to Future Release
#3
@
11 years ago
- Component changed from Multisite to Login and Registration
- Focuses multisite added
#8
follow-up:
↓ 9
@
9 years ago
- Owner set to jeremyfelt
- Status changed from new to assigned
Can this be consolidated with #17904?
#9
in reply to:
↑ 8
@
9 years ago
- Keywords needs-testing removed
Replying to wonderboymusic:
Can this be consolidated with #17904?
I think we can get this one in now as the change is very small and tests are in place. After re-reading #17904, I think it's a lot closer than I remembered. We can continue work there for the next cycle.
Given
user_login varchar(60) NOT NULL default '',
, seems good to me.