[wp-trac] [WordPress Trac] #51941: Unique names for Application Password
WordPress Trac
noreply at wordpress.org
Fri Jan 22 20:53:51 UTC 2021
#51941: Unique names for Application Password
-------------------------------------------------+-------------------------
Reporter: Boniu91 | Owner: boniu91
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.7
Component: Application Passwords | Version: 5.6
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests | administration
-------------------------------------------------+-------------------------
Comment (by xkon):
I had a look as discussed on slack during testing earlier today and as
@Boniu91 mentions in the ticket there's no validation. Everything passes
as is in the DB and we result on instances like
`s:4:"name";s:29:"<script>alert('hey')</script>";` `s:4:"name";s:18:"<?php
echo 'test';"` so on so forth.
I'm not entirely sure but @TimothyBlynJacobs I guess it wouldn't hurt to
pass the `$args['name']` via a `sanitize_text_field()` in
`create_new_application_password()` to keep the db clean, correct?
This would also help with other chars as `/` or ` ` (space) that allows
applications with visually "no name" to be added.
Since it was mentioned and it's a small change as it seems maybe we can
add it here as well directly.
Thanks to @pbiron as well for cross checking :) .
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51941#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list