Opened 9 years ago
Closed 6 years ago
#36342 closed defect (bug) (wontfix)
No check to validate supplied author in export_wp()
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.1 |
| Component: | Export | Keywords: | has-patch |
| Focuses: | Cc: |
Description (last modified by )
One of the options for export_wp() is to filter by author, but that filter option is not validated, it's used verbatum in the wpdb call. This should be validated first no?
Attachments (1)
Change History (10)
#1
@
9 years ago
- Description modified (diff)
- Summary changed from No check to valide supplied author in wp_export() to No check to validate supplied author in export_wp()
This ticket was mentioned in Slack in #core by jeffpaul. View the logs.
7 years ago
#7
@
7 years ago
- Milestone changed from Awaiting Review to 5.0
- Owner set to SergeyBiryukov
- Status changed from new to reviewing
#9
@
6 years ago
- Milestone 5.1 deleted
- Resolution set to wontfix
- Status changed from reviewing to closed
The issue isn't that esc_sql() needs to be run on these arguments, it's that wp_export() doesn't check if the author exists before adding it to the query.
I don't think it's really necessary, if they attempt to export an author that doesn't exist (or doesn't have any posts), it'll just return an empty export.
Note: See
TracTickets for help on using
tickets.
We used this ticket for the Italian core-help meeting for a live coding.
After an analysis we saw that https://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks
preparealready sanitize the data.Also there was other parameters that wasn't sanitized, in any case we wasn't sure if this ticket is still valid but was an easy interesting example about how to do it a patch.
So if the patch is still valid, we done, in other case we got fun and learned more about the process (and this ticket can be closed) :-)