[wp-trac] Re: [WordPress Trac] #9640: wp_update_user() blindly calls
add_magic_quotes(), even on objects
WordPress Trac
wp-trac at lists.automattic.com
Thu Apr 30 11:18:44 GMT 2009
#9640: wp_update_user() blindly calls add_magic_quotes(), even on objects
-----------------------------------+----------------------------------------
Reporter: misterbisson | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 2.8
Component: Users | Version: 2.8
Severity: normal | Resolution:
Keywords: dev-feedback security |
-----------------------------------+----------------------------------------
Changes (by hakre):
* keywords: dev-feedback => dev-feedback security
Comment:
some more factual info on the case:
1. {{{$user = get_userdata($ID);}}} returns an object (User DB row
object).
2. therefore the call to
{{{$user=add_magic_quotes(get_object_vars($user));}}} is perfectly valid.
what is not properly documented is the fact that get_userdata(); calls for
_fill_user(). And that little piece makes a visit to ''my old friend''
(irony) maybe_unserialize(); and then putting meta_keys to that user
object.
so if some user has serialized meta values then those will become
(''maybe'') unserialized.
maybe baby, the user object ''then'' contains subobjects.
uuups, have we seen here, that we can use meta_keys to overwrite users
properties? nice one... (well not really).
so whats left? what to fix first? please choose:
a) _fill_user() - prevent overwriting of a users properties with meta
values.
b) add_magic_quotes() variant A - to add quotes on sub-objects by
converting them to array values.
c) add_magic_quotes() variant B - to ignore sub-objects
note for add_magic_quotes(): Current state is quote like variant B but
with throwing an error.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9640#comment:17>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list