WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#26784 closed defect (bug) (fixed)

User registration on multisite: don't allow usernames to be >60 characters long.

Reported by: DJPaul Owned by: jeremyfelt
Milestone: 4.3 Priority: normal
Severity: normal Version: 3.0
Component: Login and Registration Keywords: has-patch
Focuses: multisite Cc:

Description

In wpmu_validate_user_signup() at the "has someone already signed up for this username?" check, it doesn't work as expected in situations where $wpdb->signups has truncated a new record's user_login value down to its maximum column size (which is 60 characters). The check will never match any records where the new username is >60 characters.

To recreate on multisite:

  1. Register a new user account with a 60-character long username via wp-login.php?action=register.
  2. Activate the account via link provided in email, and log in.
  3. Everything should work as expected. Log out.
  4. Register another new user account; use a different email address. Use the same username as previously, but add at least 1 extra character to the end of it.
  5. It will accept this username, though you'll be unable to activate the account. It will say that it's already been activated; look at the record in the wp_signups table and see that user_login has been truncated to the first 60 characters of the string you provided.

The attached patch adds a new validation check to wpmu_validate_user_signup() which rejects the username if it's >60 characters.

Attachments (1)

26784-01.patch (639 bytes) - added by DJPaul 4 years ago.

Download all attachments as: .zip

Change History (11)

@DJPaul
4 years ago

#1 @jeremyfelt
4 years ago

  • Keywords has-patch needs-testing added
  • Milestone changed from Awaiting Review to Future Release

#2 @nacin
4 years ago

Given user_login varchar(60) NOT NULL default '',, seems good to me.

#3 @jeremyfelt
4 years ago

  • Component changed from Multisite to Login and Registration
  • Focuses multisite added

#4 @johnbillion
4 years ago

  • Version changed from trunk to 3.0

#5 @boonebgorges
3 years ago

In 31970:

Unit tests for wpmu_validate_user_signup().

See #17904, #26784.

#6 @pento
3 years ago

In 31978:

Unit Tests added in [31970] need to be restricted to run in Multisite only.

See #17904, #26784.

#7 @jeremyfelt
3 years ago

  • Milestone changed from Future Release to 4.3

#8 follow-up: @wonderboymusic
3 years ago

  • Owner set to jeremyfelt
  • Status changed from new to assigned

Can this be consolidated with #17904?

#9 in reply to: ↑ 8 @jeremyfelt
3 years ago

  • Keywords needs-testing removed

Replying to wonderboymusic:

Can this be consolidated with #17904?

I think we can get this one in now as the change is very small and tests are in place. After re-reading #17904, I think it's a lot closer than I remembered. We can continue work there for the next cycle.

#10 @jeremyfelt
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 33083:

Usernames in multisite should be restricted to 60 characters or fewer.

Only 60 characters can be stored in the database for a username, which could cause lookup issues when attempting to use similar usernames of extreme length.

Props @DJPaul.
See #17904, Fixes #26784.

Note: See TracTickets for help on using tickets.