[wp-trac] [WordPress Trac] #12868: General Settings Page Needs Error Checking

WordPress Trac wp-trac at lists.automattic.com
Wed Apr 14 04:24:59 UTC 2010 

#12868: General Settings Page Needs Error Checking
----------------------------+-----------------------------------------------
 Reporter:  Josh Jones      |       Owner:                                                      
     Type:  defect (bug)    |      Status:  new                                                 
 Priority:  high            |   Milestone:  3.0                                                 
Component:  Administration  |     Version:  2.9.2                                               
 Severity:  major           |    Keywords:  error checking, blank value, has-patch, dev-feedback
----------------------------+-----------------------------------------------
Changes (by blepoxp):

 * cc: glenn@… (added)
  * keywords:  error checking, blank value => error checking, blank value,
               has-patch, dev-feedback


Comment:

 Looking into this ticket if found what I think is a bug in the
 sanitize_options() function (wp-includes/formatting.php).

 My first solution was to just call the add_settings_error on line
 [http://core.trac.wordpress.org/browser/trunk/wp-
 includes/formatting.php#L2440 2440] (taking my cue from line 2361 for the
 admin_email).

 This didn't work though because update_option
 [http://core.trac.wordpress.org/browser/trunk/wp-
 includes/functions.php#L501 here] doesn't validate what's been returned...
 which means it still gets updated down on line
 [http://core.trac.wordpress.org/browser/trunk/wp-
 includes/functions.php#L532 532].

 This fact can be confirmed by using the admin email as an example. You can
 leave it blank, submit the form, and get the error - but it still updates
 the DB with an empty string. As noted in this ticket, the bug is more
 destructive if the Site URL is left empty.

 I've attached a half updated patch (it includes the error for the empty
 Site URL) but we need to decide how to prevent the option from being
 updated.

 I would have just included a check on line
 [http://core.trac.wordpress.org/browser/trunk/wp-
 includes/functions.php#L502 502] but wasn't sure how that would effect
 other options.

 Can someone give me the preferred way to proceed?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12868#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list