WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 4 months ago

#36342 reviewing defect (bug)

No check to validate supplied author in export_wp()

Reported by: theMikeD Owned by: SergeyBiryukov
Milestone: 5.0 Priority: normal
Severity: normal Version: 3.1
Component: Export Keywords: 4.6-early has-patch
Focuses: Cc:

Description (last modified by DrewAPicture)

One of the options for export_wp() is to filter by author, but that filter option is not validated, it's used verbatum in the wpdb call. This should be validated first no?

Attachments (1)

36342.diff (1.4 KB) - added by Mte90 5 months ago.

Download all attachments as: .zip

Change History (8)

#1 @DrewAPicture
2 years ago

  • Description modified (diff)
  • Summary changed from No check to valide supplied author in wp_export() to No check to validate supplied author in export_wp()

#2 @chriscct7
2 years ago

  • Keywords 4.6-early added
  • Version trunk deleted

#3 @SergeyBiryukov
2 years ago

  • Keywords needs-patch added

#4 @netweb
2 years ago

  • Version set to 3.1

@Mte90
5 months ago

#5 @Mte90
5 months ago

  • Keywords has-patch added; needs-patch removed

We used this ticket for the Italian core-help meeting for a live coding. After an analysis we saw that https://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks prepare already sanitize the data. Also there was other parameters that wasn't sanitized, in any case we wasn't sure if this ticket is still valid but was an easy interesting example about how to do it a patch. So if the patch is still valid, we done, in other case we got fun and learned more about the process (and this ticket can be closed) :-)

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


4 months ago

#7 @SergeyBiryukov
4 months ago

  • Milestone changed from Awaiting Review to 5.0
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing
Note: See TracTickets for help on using tickets.