[wp-trac] [WordPress Trac] #23480: Do Not Allow Negative IDs in wp_set_auth_cookie()
WordPress Trac
noreply at wordpress.org
Fri Feb 15 16:03:59 UTC 2013
#23480: Do Not Allow Negative IDs in wp_set_auth_cookie()
--------------------------+--------------------
Reporter: mordauk | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Users | Version: 3.5.1
Severity: major | Resolution:
Keywords: has-patch |
--------------------------+--------------------
Changes (by nacin):
* milestone: Awaiting Review => 3.6
Comment:
The issue here is much deeper in the stack. wp_generate_auth_cookie() also
assumes that the passed user ID is proper, and has no error conditions if
the user doesn't exist. Likewise, wp_set_auth_cookie() is always going to
set an auth cookie — there are no error conditions.
wp_generate_auth_cookie(), passed an invalid (positive) ID, would return
the cookie's contents but without the first element of the cookie.
However, it would start with a `|` so wp_parse_auth_cookie() would say it
is valid and return an empty username. Only in wp_validate_auth_cookie()
would the empty username finally be rejected.
The fix to avoid -1 from being considered 1 is [attachment:23480.diff]. It
would be prudent for more error handling to exist here, though.
In the future, any bug report having to do with security should first be
reported privately to security at wordpress.org.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23480#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list