[wp-trac] [WordPress Trac] #11644: multiple blogs & sites / merge WPMU

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 20 23:17:10 UTC 2010


#11644: multiple blogs & sites / merge WPMU
----------------------------+-----------------------------------------------
 Reporter:  hakre           |       Owner:  wpmuguru 
     Type:  task (blessed)  |      Status:  assigned 
 Priority:  normal          |   Milestone:  3.0      
Component:  Multisite       |     Version:           
 Severity:  normal          |    Keywords:  multisite
----------------------------+-----------------------------------------------

Comment(by ryan):

 Replying to [comment:92 jamescollins]:
 > Replying to [comment:86 ryan]:
 > > (In [12774]) Use update. see #11644
 >
 > I realise that this changeset has simplified the code, but is it
 considered a security risk that a site admin could update other fields in
 the wp_blogs table by adding them to the form before submitting it?
 >
 > ie there is nothing stopping a site admin from adding a lang_id or
 site_id hidden field, then submitting the form. Alternatively I could add
 any other hidden field that doesn't exist in the wp_blogs table, and it
 would cause a SQL error.
 >
 > Prior to [12774] these extra fields would have been ignored.

 That change is a first step. It helps security by actually escaping the
 data properly, but the extra fields are an issue. I just haven't gotten to
 rewriting it the rest of the way. Patches appreciated. There are dozens of
 places in the ms- files that need to use prepare(), insert(), or update()
 rather than stuffing POST and GET values directly into a query.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11644#comment:96>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list