WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#38739 closed defect (bug) (fixed)

REST API: slashing and validation: users

Reported by: jnylen0 Owned by: rmccue
Milestone: 4.7 Priority: normal
Severity: major Version: 4.7
Component: REST API Keywords: has-patch has-unit-tests commit
Focuses: Cc:
PR Number:

Description

There are multiple issues with validation of user parameters in the API:

  • Improper/missing validation of usernames as compared to wp-admin. This allows creating a user with e.g. username=¯\_(ツ)_/¯ (in this case, the username is sanitized to __ internally).
  • The API skips the illegal_user_logins filter that sites can use to customize a list of prohibited usernames.
  • Missing checks for password: cannot be empty, cannot contain \.
  • Backslashes are eaten (see also #38609, #38704, #38726).

This patch fixes the above issues and adds tests. The validation checks are adapted from edit_user here.

In order to test updating user passwords, we need to mock out wp_clear_auth_cookie and wp_set_auth_cookie. Otherwise, this error occurs due to the setcookie calls in those functions:

Cannot modify header information - headers already sent by (output started at tests/phpunit/includes/bootstrap.php:61)

HTML tags and other nastiness are currently removed from usernames correctly because wp_insert_user calls sanitize_user( $username, true ).

Attachments (1)

38739.diff (24.4 KB) - added by jnylen0 3 years ago.

Download all attachments as: .zip

Change History (4)

@jnylen0
3 years ago

This ticket was mentioned in Slack in #core-restapi by helen. View the logs.


3 years ago

#2 @rmccue
3 years ago

  • Keywords commit added
  • Owner set to rmccue
  • Status changed from new to reviewing

For the multi-error, this can instead use a single WP_Error instance and use $error->add( $code, $message, $data ). This will give the main error, and add a new additional_errors key to the error response with the others.

Otherwise, looks good to me.

#3 @rmccue
3 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 39219:

REST API: Improve validation for usernames and passwords.

Also improves the slashing of user data in the REST API to avoid data loss.

Props jnylen0.
Fixes #38739.

Note: See TracTickets for help on using tickets.