Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#47820 closed feature request (fixed)

should update_option() check "manage_options" capability?

Reported by: lllor's profile lllor Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: normal Version:
Component: Options, Meta APIs Keywords: good-first-bug has-patch dev-feedback
Focuses: docs Cc:

Description

As in the summary, please consider improving the security of update_option() by checking the related capability.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

Otherwise, a vulnerability may occur, as recently happened in the ND Shortcodes For Visual Composer plugin:

https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-shortcodes-for-visual-composer-plugin/

Cheers.

Attachments (2)

47820.diff (623 bytes) - added by dinhtungdu 5 years ago.
47820.2.diff (624 bytes) - added by dinhtungdu 5 years ago.
Fix grammar issues.

Download all attachments as: .zip

Change History (11)

#1 @mukesh27
5 years ago

  • Keywords dev-feedback added
  • Version 5.2.2 deleted

#2 follow-up: @SergeyBiryukov
5 years ago

  • Keywords needs-patch added; dev-feedback removed
  • Milestone changed from Awaiting Review to Future Release

Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!

update_option() is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion about wp_insert_post() in #19373.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

We could definitely clarify that in the documentation.

#3 in reply to: ↑ 2 ; follow-up: @lllor
5 years ago

Replying to SergeyBiryukov:

Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!

update_option() is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion about wp_insert_post() in #19373.

Or at least, write in the documentation that it's in the plugin author's duty to verify it.

We could definitely clarify that in the documentation.

Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.

#4 in reply to: ↑ 3 ; follow-up: @SergeyBiryukov
5 years ago

  • Focuses docs added
  • Keywords good-first-bug added
  • Milestone changed from Future Release to 5.3

Replying to lllor:

Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.

It should be used for updating an option value in the database (instead of direct SQL queries, for example).

As you wrote in the ticket description, it's plugin author's responsibility to check the appropriate capabilities before saving any option changes.

Marking as a good-first-bug to reflect that in the function documentation.

@dinhtungdu
5 years ago

#5 in reply to: ↑ 4 @dinhtungdu
5 years ago

Replying to SergeyBiryukov:

Marking as a good-first-bug to reflect that in the function documentation.

I updated the doc of update_option to reflect the topic we discussed here.

@dinhtungdu
5 years ago

Fix grammar issues.

#6 @dinhtungdu
5 years ago

  • Keywords has-patch dev-feedback added; needs-patch removed

#7 @SergeyBiryukov
5 years ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#8 @SergeyBiryukov
5 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46120:

Docs: Clarify in update_option() description that it's plugin author's responsibility to check the current user's capabilities before saving any option changes.

Props dinhtungdu, lllor.
Fixes #47820.

#9 @SergeyBiryukov
5 years ago

In 46121:

Coding Standards: Fix WPCS issue in [46120].

See #47820.

Note: See TracTickets for help on using tickets.