<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[34218] trunk: Improve validation of `user_login` and `user_nicename` length.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/34218">34218</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/34218","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>boonebgorges</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2015-09-15 22:13:51 +0000 (Tue, 15 Sep 2015)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Improve validation of `user_login` and `user_nicename` length.
The `user_login` field only allows 60 characters, and `user_nicename` allows
50. However, there are no protections in the interface, and few in the code,
that prevent the creation of users with values in excess of these limits. Prior
to recent changes in `$wpdb`, users were generally created anyway, MySQL
having performed the necessary truncation. More recently, the `INSERT`s and
`UPDATE`s simply fail, with no real feedback on the nature of the failure.
This changeset addresses the issue in a number of ways:
* On the user-new.php and network/user-new.php panels, don't allow input in excess of the maximum field length.
* In `wp_insert_user()`, throw an error if the value provided for `'user_login'` or `'user_nicename'` exceeds the maximum field length.
* In `wp_insert_user()`, when using `'user_login'` to generate a default value for `'user_nicename'`, ensure that the nicename is properly truncated, even when suffixed for uniqueness (username-2, etc).
Props dipesh.kakadiya, utkarshpatel, tommarshall, boonebgorges.
Fixes <a href="https://core.trac.wordpress.org/ticket/33793">#33793</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpadminnetworkusernewphp">trunk/src/wp-admin/network/user-new.php</a></li>
<li><a href="#trunksrcwpadminusernewphp">trunk/src/wp-admin/user-new.php</a></li>
<li><a href="#trunksrcwpincludesuserfunctionsphp">trunk/src/wp-includes/user-functions.php</a></li>
<li><a href="#trunktestsphpunittestsuserphp">trunk/tests/phpunit/tests/user.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpadminnetworkusernewphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/network/user-new.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/network/user-new.php 2015-09-15 20:52:40 UTC (rev 34217)
+++ trunk/src/wp-admin/network/user-new.php 2015-09-15 22:13:51 UTC (rev 34218)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -89,7 +89,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> <table class="form-table">
</span><span class="cx" style="display: block; padding: 0 10px"> <tr class="form-field form-required">
</span><span class="cx" style="display: block; padding: 0 10px"> <th scope="row"><label for="username"><?php _e( 'Username' ) ?></label></th>
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- <td><input type="text" class="regular-text" name="user[username]" id="username" autocapitalize="none" autocorrect="off" /></td>
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ <td><input type="text" class="regular-text" name="user[username]" id="username" autocapitalize="none" autocorrect="off" maxlength="60" /></td>
</ins><span class="cx" style="display: block; padding: 0 10px"> </tr>
</span><span class="cx" style="display: block; padding: 0 10px"> <tr class="form-field form-required">
</span><span class="cx" style="display: block; padding: 0 10px"> <th scope="row"><label for="email"><?php _e( 'Email' ) ?></label></th>
</span></span></pre></div>
<a id="trunksrcwpadminusernewphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-admin/user-new.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-admin/user-new.php 2015-09-15 20:52:40 UTC (rev 34217)
+++ trunk/src/wp-admin/user-new.php 2015-09-15 22:13:51 UTC (rev 34218)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -375,7 +375,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> <table class="form-table">
</span><span class="cx" style="display: block; padding: 0 10px"> <tr class="form-field form-required">
</span><span class="cx" style="display: block; padding: 0 10px"> <th scope="row"><label for="user_login"><?php _e('Username'); ?> <span class="description"><?php _e('(required)'); ?></span></label></th>
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- <td><input name="user_login" type="text" id="user_login" value="<?php echo esc_attr( $new_user_login ); ?>" aria-required="true" autocapitalize="none" autocorrect="off" /></td>
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ <td><input name="user_login" type="text" id="user_login" value="<?php echo esc_attr( $new_user_login ); ?>" aria-required="true" autocapitalize="none" autocorrect="off" maxlength="60" /></td>
</ins><span class="cx" style="display: block; padding: 0 10px"> </tr>
</span><span class="cx" style="display: block; padding: 0 10px"> <tr class="form-field form-required">
</span><span class="cx" style="display: block; padding: 0 10px"> <th scope="row"><label for="email"><?php _e('Email'); ?> <span class="description"><?php _e('(required)'); ?></span></label></th>
</span></span></pre></div>
<a id="trunksrcwpincludesuserfunctionsphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/user-functions.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/user-functions.php 2015-09-15 20:52:40 UTC (rev 34217)
+++ trunk/src/wp-includes/user-functions.php 2015-09-15 22:13:51 UTC (rev 34218)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1245,19 +1245,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> //Remove any non-printable chars from the login string to see if we have ended up with an empty username
</span><span class="cx" style="display: block; padding: 0 10px"> $user_login = trim( $pre_user_login );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // user_login must be between 0 and 60 characters.
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( empty( $user_login ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error('empty_user_login', __('Cannot create a user with an empty login name.') );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ } elseif ( mb_strlen( $user_login ) > 60 ) {
+ return new WP_Error( 'user_login_too_long', __( 'Username may not be longer than 60 characters.' ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! $update && username_exists( $user_login ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // If a nicename is provided, remove unsafe user characters before
- // using it. Otherwise build a nicename from the user_login.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /*
+ * If a nicename is provided, remove unsafe user characters before using it.
+ * Otherwise build a nicename from the user_login.
+ */
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! empty( $userdata['user_nicename'] ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $user_nicename = sanitize_user( $userdata['user_nicename'], true );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( mb_strlen( $user_nicename ) > 50 ) {
+ return new WP_Error( 'user_nicename_too_long', __( 'Nicename may not be longer than 50 characters.' ) );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $user_nicename = $user_login;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $user_nicename = mb_substr( $user_login, 0, 50 );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $user_nicename = sanitize_title( $user_nicename );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1395,7 +1404,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $user_nicename_check ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $suffix = 2;
</span><span class="cx" style="display: block; padding: 0 10px"> while ($user_nicename_check) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $alt_user_nicename = $user_nicename . "-$suffix";
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // user_nicename allows 50 chars. Subtract one for a hyphen, plus the length of the suffix.
+ $base_length = 49 - mb_strlen( $suffix );
+ $alt_user_nicename = mb_substr( $user_nicename, 0, $base_length ) . "-$suffix";
</ins><span class="cx" style="display: block; padding: 0 10px"> $user_nicename_check = $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1" , $alt_user_nicename, $user_login));
</span><span class="cx" style="display: block; padding: 0 10px"> $suffix++;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunktestsphpunittestsuserphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/user.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/user.php 2015-09-15 20:52:40 UTC (rev 34217)
+++ trunk/tests/phpunit/tests/user.php 2015-09-15 22:13:51 UTC (rev 34218)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -574,6 +574,97 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $this->assertSame( $user->user_nicename, $updated_user->user_nicename );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /**
+ * @ticket 33793
+ */
+ public function test_wp_insert_user_should_reject_user_login_over_60_characters() {
+ $user_login = str_repeat( 'a', 61 );
+ $u = wp_insert_user( array(
+ 'user_login' => $user_login,
+ 'user_email' => $user_login . '@example.com',
+ 'user_pass' => 'password',
+ 'user_nicename' => 'something-short',
+ ) );
+
+ $this->assertWPError( $u );
+ $this->assertSame( 'user_login_too_long', $u->get_error_code() );
+ }
+
+ /**
+ * @ticket 33793
+ */
+ public function test_wp_insert_user_should_reject_user_nicename_over_50_characters() {
+ $user_nicename = str_repeat( 'a', 51 );
+ $u = wp_insert_user( array(
+ 'user_login' => 'mynicenamehas50chars',
+ 'user_email' => $user_nicename . '@example.com',
+ 'user_pass' => 'password',
+ 'user_nicename' => $user_nicename,
+ ) );
+
+ $this->assertWPError( $u );
+ $this->assertSame( 'user_nicename_too_long', $u->get_error_code() );
+ }
+
+ /**
+ * @ticket 33793
+ */
+ public function test_wp_insert_user_should_not_generate_user_nicename_longer_than_50_chars() {
+ $user_login = str_repeat( 'a', 55 );
+ $u = wp_insert_user( array(
+ 'user_login' => $user_login,
+ 'user_email' => $user_login . '@example.com',
+ 'user_pass' => 'password',
+ ) );
+
+ $this->assertNotEmpty( $u );
+ $user = new WP_User( $u );
+ $expected = str_repeat( 'a', 50 );
+ $this->assertSame( $expected, $user->user_nicename );
+ }
+
+ /**
+ * @ticket 33793
+ */
+ public function test_wp_insert_user_should_not_truncate_to_a_duplicate_user_nicename() {
+ $u1 = $this->factory->user->create( array(
+ 'user_nicename' => str_repeat( 'a', 50 ),
+ ) );
+
+ $user_login = str_repeat( 'a', 55 );
+ $u = wp_insert_user( array(
+ 'user_login' => $user_login,
+ 'user_email' => $user_login . '@example.com',
+ 'user_pass' => 'password',
+ ) );
+
+ $this->assertNotEmpty( $u );
+ $user = new WP_User( $u );
+ $expected = str_repeat( 'a', 48 ) . '-2';
+ $this->assertSame( $expected, $user->user_nicename );
+ }
+
+ /**
+ * @ticket 33793
+ */
+ public function test_wp_insert_user_should_not_truncate_to_a_duplicate_user_nicename_when_suffix_has_more_than_one_character() {
+ $users = $this->factory->user->create_many( 9, array(
+ 'user_nicename' => str_repeat( 'a', 50 ),
+ ) );
+
+ $user_login = str_repeat( 'a', 55 );
+ $u = wp_insert_user( array(
+ 'user_login' => $user_login,
+ 'user_email' => $user_login . '@example.com',
+ 'user_pass' => 'password',
+ ) );
+
+ $this->assertNotEmpty( $u );
+ $user = new WP_User( $u );
+ $expected = str_repeat( 'a', 47 ) . '-10';
+ $this->assertSame( $expected, $user->user_nicename );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> function test_changing_email_invalidates_password_reset_key() {
</span><span class="cx" style="display: block; padding: 0 10px"> global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px">
</span></span></pre>
</div>
</div>
</body>
</html>