#47820 closed feature request (fixed)
should update_option() check "manage_options" capability?
Reported by: | lllor | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Options, Meta APIs | Keywords: | good-first-bug has-patch dev-feedback |
Focuses: | docs | Cc: |
Description
As in the summary, please consider improving the security of update_option() by checking the related capability.
Or at least, write in the documentation that it's in the plugin author's duty to verify it.
Otherwise, a vulnerability may occur, as recently happened in the ND Shortcodes For Visual Composer plugin:
Cheers.
Attachments (2)
Change History (11)
#2
follow-up:
↓ 3
@
5 years ago
- Keywords needs-patch added; dev-feedback removed
- Milestone changed from Awaiting Review to Future Release
#3
in reply to:
↑ 2
;
follow-up:
↓ 4
@
5 years ago
Replying to SergeyBiryukov:
Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!
update_option()
is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion aboutwp_insert_post()
in #19373.
Or at least, write in the documentation that it's in the plugin author's duty to verify it.
We could definitely clarify that in the documentation.
Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.
#4
in reply to:
↑ 3
;
follow-up:
↓ 5
@
5 years ago
- Focuses docs added
- Keywords good-first-bug added
- Milestone changed from Future Release to 5.3
Replying to lllor:
Excellent! So, if I haven't misunderstood, update_option must be used only in peculiar contexts and not as general-purpose interface to the wp-options provided to the plugins.
It should be used for updating an option value in the database (instead of direct SQL queries, for example).
As you wrote in the ticket description, it's plugin author's responsibility to check the appropriate capabilities before saving any option changes.
Marking as a good-first-bug
to reflect that in the function documentation.
#5
in reply to:
↑ 4
@
5 years ago
Replying to SergeyBiryukov:
Marking as a
good-first-bug
to reflect that in the function documentation.
I updated the doc of update_option
to reflect the topic we discussed here.
Hi @lllor, welcome to WordPress Trac! Thanks for the ticket!
update_option()
is a low-level utility function often used in contexts when there's no logged-in user (Cron, CLI tools, etc.), so checking capabilities is beyond its scope. See a similar discussion aboutwp_insert_post()
in #19373.We could definitely clarify that in the documentation.