[wp-trac] [WordPress Trac] #23480: Do Not Allow Negative IDs in wp_set_auth_cookie()

WordPress Trac noreply at wordpress.org
Fri Feb 15 16:03:59 UTC 2013


#23480: Do Not Allow Negative IDs in wp_set_auth_cookie()
--------------------------+--------------------
 Reporter:  mordauk       |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  3.6
Component:  Users         |     Version:  3.5.1
 Severity:  major         |  Resolution:
 Keywords:  has-patch     |
--------------------------+--------------------
Changes (by nacin):

 * milestone:  Awaiting Review => 3.6


Comment:

 The issue here is much deeper in the stack. wp_generate_auth_cookie() also
 assumes that the passed user ID is proper, and has no error conditions if
 the user doesn't exist. Likewise, wp_set_auth_cookie() is always going to
 set an auth cookie — there are no error conditions.

 wp_generate_auth_cookie(), passed an invalid (positive) ID, would return
 the cookie's contents but without the first element of the cookie.
 However, it would start with a `|` so wp_parse_auth_cookie() would say it
 is valid and return an empty username. Only in wp_validate_auth_cookie()
 would the empty username finally be rejected.

 The fix to avoid -1 from being considered 1 is [attachment:23480.diff]. It
 would be prudent for more error handling to exist here, though.

 In the future, any bug report having to do with security should first be
 reported privately to security at wordpress.org.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/23480#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list