[wp-trac] [WordPress Trac] #13317: Code Impriovement in get_userdata

WordPress Trac wp-trac at lists.automattic.com
Sun May 16 02:13:07 UTC 2010

#13317: Code Impriovement in get_userdata
 Reporter:  hakre                   |        Owner:          
     Type:  defect (bug)            |       Status:  reopened
 Priority:  high                    |    Milestone:  3.0     
Component:  Security                |      Version:          
 Severity:  major                   |   Resolution:          
 Keywords:  has-patch dev-feedback  |  

Comment(by hakre):

 Replying to [comment:20 nacin]:
 > Finally, there is a difference between returning an admin user object
 ''on error'' and stuffing absolute garbage into functions.
 Yeah, totally right. I just wonder why - when the docblocks already
 document that {{{$user_id}}} is to be int already you run absint() on it
 anyway. I mean, it's already an integer, and if some adds garbage into
 this function, like a negative integer, the function is not expceted to
 return a user, right?

 You should really reflect what you say here in the end.

 Getting the admin when passing -1 to that function is not an equally well
 thing either. But, let's better not do that strict, this is only about
 user-management which is knowing to be an area, where to do things in a
 secure manner isn't further important.

 Sorry for so much irony.

Ticket URL: <http://core.trac.wordpress.org/ticket/13317#comment:22>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list