[wp-trac] [WordPress Trac] #31686: wp_authenticate_username_password() should check for a WP_Error object
WordPress Trac
noreply at wordpress.org
Tue Aug 6 05:40:34 UTC 2019
#31686: wp_authenticate_username_password() should check for a WP_Error object
-------------------------------+------------------------------
Reporter: kwisatz | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.7
Severity: normal | Resolution: maybelater
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by donmhico):
I'm not sure how to proceed with this. From the documentation of
`wp_authenticate_username_password()`
{{{#!php
@param WP_User|WP_Error|null $user WP_User or WP_Error object from a
previous callback. Default null.
}}}
It seems that it's expecting the `$user` input as a WP_Error instance in
some cases. And considering that the WP_Error check is placed below the
empty `$username` and empty `$password` check -
{{{#!php
if ( empty( $username ) || empty( $password ) ) {
if ( is_wp_error( $user ) ) {
return $user;
}
.......
}
}}}
It maybe possible that `wp_authenticate_username_password()` gives a
chance to a WP_Error `$user` to still be authenticated if the `$username`
and `$password` are provided. I'm just not sure if there's a good use-case
for such scenario or if this is really an intended behaviour.
IMHO, if the `$user` passed is a WP_Error then it should immediately
return the WP_Error. Like @kwisatz 's concern, this maybe a potential
security hole.
We need more feedback regarding this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31686#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list