[wp-trac] [WordPress Trac] #55456: Double escaping wp_user-settings
WordPress Trac
noreply at wordpress.org
Thu Mar 24 09:27:13 UTC 2022
#55456: Double escaping wp_user-settings
--------------------------+-----------------------------
Reporter: phatkoala | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 5.9.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Fresh install of WordPress with no plugins and using default Twenty Twenty
Two theme.
Either directly insert test data;
{{{
INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES (1,
'wp_user-settings', 'foo=1&bar=1');
}}}
Or activate this plugin;
{{{
<?php
/*
Plugin Name: Ampersand Test
*/
register_activation_hook( __FILE__, function(){
set_user_setting( 'foo', 1 );
set_user_setting( 'bar', 1 );
} );
}}}
The name of the attributes and their values are completely arbitrary and
have no impact on the behaviour.
Now go to your "Profile" page (/wp-admin/profile.php) and press "Update
Profile". Wait 5 seconds and repeat.
The value of wp-user_settings in the database and COOKIE is being double
escaped (escaped on read and escaped on write).
Therefore the value of wp-user_settings does this;
- foo=1&bar=1
- foo=1&bar=1
- foo=1&ampbar=1
- foo=1&ampampbar=1
- and so forth
Once the value of wp-user_settings becomes too long and/or combined with a
user using the same browser with multiple logins, the length of the
COOKIE(s) will become too large and the request header will be rejected by
Apache/Nginx.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55456>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list