[wp-trac] Re: [WordPress Trac] #8770: Add role filtering to user
editing code to secure edit_users capabiltity (security)
WordPress Trac
wp-trac at lists.automattic.com
Tue Jan 6 17:39:12 GMT 2009
#8770: Add role filtering to user editing code to secure edit_users capabiltity
(security)
--------------------------------------------------+-------------------------
Reporter: jeremyclarke | Owner: jeremyclarke
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: Security | Version:
Severity: normal | Resolution:
Keywords: has-patch capabilities needs-testing |
--------------------------------------------------+-------------------------
Comment (by jeremyclarke):
re: empty array from get_editable_roles() - I don't think this is
necessary because any situation where a user is being edited already has a
check in it to make sure. In fact I think by the time you've edited a user
the current_user_can('edit_users') has been run many many times (whcih is
good because it avoids various sneaky attacks using $_POST). In all the
cases I saw it was very well established that the user can edit_users,
both in the processing of $_POST and before even displaying the ui
elements needed to initiate a user edit.
re: wp-admin/users.php changes allowing edits - the patch is deceptive, if
you look just below the changes in the actual file you see that there are
specific checks to current_user_can('edit_user', $id), which will return
false if just 'edit_users' was false, and goes even further to ensure that
each specific user is editable. I just removed the plain edit_users check
because it was redundant and would have some miniscule effect on
performance. If that makes you nervous please just undo that change and
keep the rest.
--
Ticket URL: <http://trac.wordpress.org/ticket/8770#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list