[wp-trac] [WordPress Trac] #11644: multiple blogs & sites / merge WPMU
WordPress Trac
wp-trac at lists.automattic.com
Wed Jan 20 23:17:10 UTC 2010
#11644: multiple blogs & sites / merge WPMU
----------------------------+-----------------------------------------------
Reporter: hakre | Owner: wpmuguru
Type: task (blessed) | Status: assigned
Priority: normal | Milestone: 3.0
Component: Multisite | Version:
Severity: normal | Keywords: multisite
----------------------------+-----------------------------------------------
Comment(by ryan):
Replying to [comment:92 jamescollins]:
> Replying to [comment:86 ryan]:
> > (In [12774]) Use update. see #11644
>
> I realise that this changeset has simplified the code, but is it
considered a security risk that a site admin could update other fields in
the wp_blogs table by adding them to the form before submitting it?
>
> ie there is nothing stopping a site admin from adding a lang_id or
site_id hidden field, then submitting the form. Alternatively I could add
any other hidden field that doesn't exist in the wp_blogs table, and it
would cause a SQL error.
>
> Prior to [12774] these extra fields would have been ignored.
That change is a first step. It helps security by actually escaping the
data properly, but the extra fields are an issue. I just haven't gotten to
rewriting it the rest of the way. Patches appreciated. There are dozens of
places in the ms- files that need to use prepare(), insert(), or update()
rather than stuffing POST and GET values directly into a query.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11644#comment:96>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list