Opened 8 years ago
Closed 8 years ago
#38739 closed defect (bug) (fixed)
REST API: slashing and validation: users
Reported by: | jnylen0 | Owned by: | rmccue |
---|---|---|---|
Milestone: | 4.7 | Priority: | normal |
Severity: | major | Version: | 4.7 |
Component: | REST API | Keywords: | has-patch has-unit-tests commit |
Focuses: | Cc: |
Description
There are multiple issues with validation of user parameters in the API:
- Improper/missing validation of usernames as compared to wp-admin. This allows creating a user with e.g.
username=¯\_(ツ)_/¯
(in this case, the username is sanitized to__
internally). - The API skips the
illegal_user_logins
filter that sites can use to customize a list of prohibited usernames. - Missing checks for password: cannot be empty, cannot contain
\
. - Backslashes are eaten (see also #38609, #38704, #38726).
This patch fixes the above issues and adds tests. The validation checks are adapted from edit_user
here.
In order to test updating user passwords, we need to mock out wp_clear_auth_cookie
and wp_set_auth_cookie
. Otherwise, this error occurs due to the setcookie
calls in those functions:
Cannot modify header information - headers already sent by (output started at tests/phpunit/includes/bootstrap.php:61)
HTML tags and other nastiness are currently removed from usernames correctly because wp_insert_user
calls sanitize_user( $username, true )
.
Attachments (1)
Change History (4)
Note: See
TracTickets for help on using
tickets.
For the multi-error, this can instead use a single WP_Error instance and use
$error->add( $code, $message, $data )
. This will give the main error, and add a newadditional_errors
key to the error response with the others.Otherwise, looks good to me.