[wp-trac] Re: [WordPress Trac] #9640: wp_update_user() blindly calls
add_magic_quotes(), even on objects
WordPress Trac
wp-trac at lists.automattic.com
Thu Apr 30 12:06:16 GMT 2009
#9640: wp_update_user() blindly calls add_magic_quotes(), even on objects
-----------------------------------+----------------------------------------
Reporter: misterbisson | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 2.8
Component: Users | Version: 2.8
Severity: normal | Resolution:
Keywords: dev-feedback security |
-----------------------------------+----------------------------------------
Comment(by Denis-de-Bernardy):
Replying to [comment:17 hakre]:
{{{
$user=add_magic_quotes(get_object_vars($user));
}}}
the trouble with this one is it won't do the trick if a meta is an object.
as I see things: the functionality is broken but functional.
as you highlight, _fill_user() allows to override a user's fields with a
meta. this might be desirable, or not. it had caught my attention too when
looking into a separate ticket on a get_usermeta function overhaul: #7540.
the latter point could be addressed in 2.8 if it poses any security
threat, else it's probably a bug we can live with.
on the user meta front, the current behavior works as long as you're not
trying to insert objects in user_meta. a plugin dev will notice this on
the spot while coding. he'll just work around the issue by storing arrays
instead. in other words it's broken but functional.
imo, it's more urgent to give the API needs a good clean up (see #7540)
than making add_magic_quotes() behave well for objects. the latter is
really not designed for this (it's supposed to be used to quote the GET,
POST, etc. variables). put otherwise, it makes more sense (to me anyway)
to not use it at all in the various user_meta functions, and to rework the
workflow accordingly.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9640#comment:18>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list