[wp-trac] [WordPress Trac] #35370: wp-activate.php use unfilter value in database query

WordPress Trac noreply at wordpress.org
Fri Jan 8 18:23:19 UTC 2016


#35370: wp-activate.php  use unfilter value in database query
----------------------------+----------------------
 Reporter:  alifamoorzadeh  |       Owner:
     Type:  defect (bug)    |      Status:  closed
 Priority:  normal          |   Milestone:
Component:  General         |     Version:  4.4.1
 Severity:  normal          |  Resolution:  invalid
 Keywords:                  |     Focuses:
----------------------------+----------------------
Changes (by ocean90):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 Hello @alifamoorzadeh, thanks for the report.

 In `wpmu_activate_signup()` the`$key` value gets escaped in
 [source:/tags/4.4.1/src/wp-includes/ms-functions.php#L955] through the use
 of `$wpdb->prepare()`
 ([https://developer.wordpress.org/reference/classes/wpdb/prepare/ code
 ref]), means we '''don't''' use unfiltered values in the query.

 Since this report was about a potential security issue please keep this
 mind:

 > '''Do not report potential security vulnerabilities here.'''
 > See the [https://make.wordpress.org/core/handbook/reporting-security-
 vulnerabilities/ Security FAQ] and contact security at wordpress.org.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35370#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list