[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged
WordPress Trac
noreply at wordpress.org
Tue Dec 10 19:01:14 UTC 2019
#43936: Settings: Warn when open registration and new user default is privileged
-------------------------------------+-----------------------------
Reporter: kraftbj | Owner: SergeyBiryukov
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 5.4
Component: Users | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-refresh | Focuses: administration
-------------------------------------+-----------------------------
Comment (by jrf):
Replying to [comment:16 ottok]:
> > 2. The `update_option()` call to update the value for `default_role`
(saving).
>
> This would not protect against the SQL injections I referred to. I was
thinking of making a patch that affects fetching the option from the
database, and if the database value is 'administrator', the code would
ignore that value and return 'subscriber' instead.
You're completely correct, though it would prevent saving of the invalid
value from within the WP framework.
An additional filter on the `option_default_role`, as you suggest, could
help in that regards 👍. Just keep in mind that any filter can be
unhooked.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43936#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list