WordPress.org

Make WordPress Core

Opened 8 months ago

Last modified 8 months ago

#46536 new defect (bug)

wp_create_user_request should sanitize the action_name using _wp_privacy_action_request_types

Reported by: garrett-eclipse Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: has-patch has-unit-tests needs-testing
Focuses: Cc:
PR Number:

Description

Hello,

It was flagged by @birgire in #44721 that the wp_create_user_request would accept any action name.

The check against _wp_privacy_action_request_types found in _wp_personal_data_handle_actions should be moved into wp_create_user_request to check against invalid request actions. The check I'm speaking of;
https://github.com/WordPress/wordpress-develop/blob/5.1.1/src/wp-admin/includes/user.php#L691-L698

As the wp_create_user_request is called directly after the check moving it into the function results in the same sanitization for _wp_personal_data_handle_actions while also sanitizing the other methods such as _wp_privacy_send_erasure_fulfillment_notification.

All the best

Attachments (1)

46536.diff (4.7 KB) - added by garrett-eclipse 8 months ago.
Patch to move check for _wp_privacy_action_request_types into wp_create_user_request, along with updated unit tests to avoid failures

Download all attachments as: .zip

Change History (3)

@garrett-eclipse
8 months ago

Patch to move check for _wp_privacy_action_request_types into wp_create_user_request, along with updated unit tests to avoid failures

#1 @garrett-eclipse
8 months ago

  • Keywords has-patch has-unit-tests needs-testing added

Attached 46536.diff to move the check on _wp_privacy_action_request_types into wp_create_user_request to ensure more coverage of the check as it previously only covered _wp_personal_data_handle_actions and overlooked actions like _wp_privacy_send_erasure_fulfillment_notification.

To reduce and still distinguish the ! $action_name check I updated it to missing_action error and used it's invalid_action for the new check on _wp_privacy_action_request_types.

In order for the changes to pass existing unit tests I had to make the following adjustments;

  • Replaced the original test_invalid_action in wpCreateUserRequest.php with test_missing_action to confirm the change to the ! $action_name error.
  • Updated the test_invalid_action to confirm action names that don't pass the _wp_privacy_action_request_types check are caught
  • Updated test_sanitized_action_name to use a unsanitized version of export_personal_data which passes the _wp_privacy_action_request_types error check.
  • Updated wpSetUpBeforeClass inwpPrivacySendErasureFulfillmentNotification.php to use a valid action name remove_personal_data. NOTE: This test is also being addressed in #44721 so one or the other ticket will need a refresh once one is committed.
  • Updated two additional invalid action names found in wpSendUserRequest.php

#2 @desrosj
8 months ago

  • Milestone changed from Awaiting Review to Future Release
Note: See TracTickets for help on using tickets.