[wp-trac] [WordPress Trac] #35370: wp-activate.php use unfilter value in database query
WordPress Trac
noreply at wordpress.org
Fri Jan 8 18:23:19 UTC 2016
#35370: wp-activate.php use unfilter value in database query
----------------------------+----------------------
Reporter: alifamoorzadeh | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version: 4.4.1
Severity: normal | Resolution: invalid
Keywords: | Focuses:
----------------------------+----------------------
Changes (by ocean90):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
Hello @alifamoorzadeh, thanks for the report.
In `wpmu_activate_signup()` the`$key` value gets escaped in
[source:/tags/4.4.1/src/wp-includes/ms-functions.php#L955] through the use
of `$wpdb->prepare()`
([https://developer.wordpress.org/reference/classes/wpdb/prepare/ code
ref]), means we '''don't''' use unfiltered values in the query.
Since this report was about a potential security issue please keep this
mind:
> '''Do not report potential security vulnerabilities here.'''
> See the [https://make.wordpress.org/core/handbook/reporting-security-
vulnerabilities/ Security FAQ] and contact security at wordpress.org.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35370#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list