[wp-trac] [WordPress Trac] #51941: Unique names for Application Password

WordPress Trac noreply at wordpress.org
Fri Jan 22 20:53:51 UTC 2021


#51941: Unique names for Application Password
-------------------------------------------------+-------------------------
 Reporter:  Boniu91                              |       Owner:  boniu91
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  5.7
Component:  Application Passwords                |     Version:  5.6
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing has-unit-    |     Focuses:
  tests                                          |  administration
-------------------------------------------------+-------------------------

Comment (by xkon):

 I had a look as discussed on slack during testing earlier today and as
 @Boniu91 mentions in the ticket there's no validation. Everything passes
 as is in the DB and we result on instances like
 `s:4:"name";s:29:"<script>alert('hey')</script>";` `s:4:"name";s:18:"<?php
 echo 'test';"` so on so forth.

 I'm not entirely sure but @TimothyBlynJacobs I guess it wouldn't hurt to
 pass the `$args['name']` via a `sanitize_text_field()` in
 `create_new_application_password()` to keep the db clean, correct?

 This would also help with other chars as `/` or ` ` (space) that allows
 applications with visually "no name" to be added.

 Since it was mentioned and it's a small change as it seems maybe we can
 add it here as well directly.

 Thanks to @pbiron as well for cross checking :) .

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51941#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list