Opened 3 years ago
Closed 3 years ago
#57138 closed defect (bug) (wontfix)
Sanitize attachment ID in media.php
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.2 |
| Component: | Media | Keywords: | has-patch |
| Focuses: | administration | Cc: |
Description
On line #59(https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-admin/media.php#L59) in the media.php the attachment ID is taking from $_GET super-global variable but is not sanitized.
Attachments (1)
Change History (4)
#2
@
3 years ago
- Focuses administration added; privacy removed
Hi there, welcome to WordPress Trac! Thanks for the ticket.
I might be missing something, but with the (int) type casting already applied there, isn't sanitize_text_field() redundant?
#3
@
3 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
I agree with @SergeyBiryukov that casting to int makes the call to sanitize_text_field() redundant.
If, after type casting, the value is cast to zero then the current_user_can() check that follows will fail and prevent the user proceeding.
At times sanitization can be quite nuanced and this is one of those cases: as a rule casting to a numeric value is considered safe.
I'm going to close this ticket off without a fix but I really appreciate you suggesting the hardening measure.
Created patch.