Make WordPress Core

Opened 3 years ago

Closed 5 months ago

Last modified 5 months ago

#55335 closed defect (bug) (fixed)

$user_login double escaped with incorrect/empty password in wp-login.php

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.7 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: 2nd-opinion has-patch
Focuses: Cc:

Description

First:

		if ( isset( $_POST['log'] ) ) {
			$user_login = ( 'incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : '';
		}

Then:

<input type="text" name="log" id="user_login"<?php echo $aria_describedby_error; ?> class="input" value="<?php echo esc_attr( $user_login ); ?>" size="20" autocapitalize="off" />

Fix is to late escape only, and remove the top one.

Change History (11)

#1 @johnjamesjacoby
3 years ago

Relatedly, 'register' action is double wp_unslash()ing $user_email and $user_login.

#2 @rajinsharwar
16 months ago

  • Keywords needs-dev-note added
  • Milestone changed from Awaiting Review to 6.4

#3 @rajinsharwar
16 months ago

  • Milestone changed from 6.4 to Awaiting Review

#4 @rajinsharwar
16 months ago

Lets see what others think about it.

Last edited 14 months ago by rajinsharwar (previous) (diff)

#5 @rajinsharwar
14 months ago

  • Keywords needs-dev-note removed

This ticket was mentioned in Slack in #core by rajinsharwar. View the logs.


14 months ago

#7 @rajinsharwar
5 months ago

  • Keywords 2nd-opinion added

Pretty minor change, adding 2nd opinion if we really need this change.

This ticket was mentioned in PR #6952 on WordPress/wordpress-develop by @narenin.


5 months ago
#8

  • Keywords has-patch added

#9 @SergeyBiryukov
5 months ago

  • Milestone changed from Awaiting Review to 6.7
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#10 @SergeyBiryukov
5 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 58623:

Login and Registration: Remove redundant escaping in wp-login.php.

  • $user_login in the login action is already escaped on output.
  • $user_login and $user_email in the register action are already unslashed a few lines above.

Follow-up to [3120], [4339], [8454], [11104], [23416], [23554], [23594], [46640].

Props johnjamesjacoby, rajinsharwar, narenin.
Fixes #55335.

@SergeyBiryukov commented on PR #6952:


5 months ago
#11

Thanks for the PR! Merged in r58623.

Note: See TracTickets for help on using tickets.