[wp-trac] [WordPress Trac] #46536: wp_create_user_request should sanitize the action_name using _wp_privacy_action_request_types
WordPress Trac
noreply at wordpress.org
Sat Mar 16 06:36:25 UTC 2019
#46536: wp_create_user_request should sanitize the action_name using
_wp_privacy_action_request_types
-----------------------------+-----------------------------
Reporter: garrett-eclipse | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 4.9.6
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
Hello,
It was flagged by @birgire in
[https://core.trac.wordpress.org/ticket/44721#comment:20 #44721] that the
`wp_create_user_request` would accept any action name.
The check against `_wp_privacy_action_request_types` found in
`_wp_personal_data_handle_actions` should be moved into
`wp_create_user_request` to check against invalid request actions. The
check I'm speaking of;
https://github.com/WordPress/wordpress-develop/blob/5.1.1/src/wp-
admin/includes/user.php#L691-L698
As the wp_create_user_request is called directly after the check moving it
into the function results in the same sanitization for
`_wp_personal_data_handle_actions` while also sanitizing the other methods
such as `_wp_privacy_send_erasure_fulfillment_notification`.
All the best
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46536>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list