Skip to:
Content

BuddyPress.org

Opened 7 years ago

Closed 7 years ago

#4989 closed defect (bug) (fixed)

Improvements to groups classes to 'include' and 'exclude' args and parameters

Reported by: johnjamesjacoby Owned by:
Milestone: 1.7.2 Priority: highest
Severity: critical Version: 1.2
Component: Groups Keywords: has-patch needs-testing
Cc:

Description

It's possible to pass malformed values into several of the include and exclude parameters in bp-groups-classes.php, causing unexpected results (including potential SQL injection.)

Affected methods:

  • BP_Groups_Group::get()
  • BP_Groups_Group::get_by_most_forum_topics()
  • BP_Groups_Group::get_by_letter()
  • BP_Groups_Group::get_random()
  • BP_Groups_Member::get_invites()
  • BP_Groups_Member::get_all_for_group()

Attachments (8)

4898.patch (4.5 KB) - added by johnjamesjacoby 7 years ago.
4898.2.patch (4.2 KB) - added by johnjamesjacoby 7 years ago.
escape() rather than prepare()
4898.3.patch (12.7 KB) - added by johnjamesjacoby 7 years ago.
4898.4.patch (15.4 KB) - added by johnjamesjacoby 7 years ago.
Without the new like_escape() method, and with proper order of esc_sql() and like_escape()
4898.5.patch (15.3 KB) - added by johnjamesjacoby 7 years ago.
Same as 4, but without the trim()'s
4989.activity.1.patch (3.8 KB) - added by DJPaul 7 years ago.
4989.blogs.1.patch (3.2 KB) - added by DJPaul 7 years ago.
4989.core.1.patch (7.1 KB) - added by DJPaul 7 years ago.

Download all attachments as: .zip

Change History (20)

@johnjamesjacoby
7 years ago

escape() rather than prepare()

#1 @johnjamesjacoby
7 years ago

Some other methods and parameters are also affected:

  • BP_Groups_Group::search_groups() - sort_by, order
  • BP_Groups_Group:: get_group_extras() - group_ids
  • BP_Groups_Group:: get_global_topic_count() - search_terms
  • BP_Groups_Groups::get_random_groups() - total_groups

#2 @johnjamesjacoby
7 years ago

Third patch fixes the above methods, and introduces custom like_escape() methods to BP_Groups_Group and BP_Groups_Member to handle the sanitization of other search terms, filters, and untrusted strings.

@johnjamesjacoby
7 years ago

Without the new like_escape() method, and with proper order of esc_sql() and like_escape()

@johnjamesjacoby
7 years ago

Same as 4, but without the trim()'s

#3 @johnjamesjacoby
7 years ago

Just noticed the momentary dyslexia on the patch names. Lame.

#4 @boonebgorges
7 years ago

In 7014:

Audit of parameter sanitization in Groups and Core database classes

  • Uses wp_parse_id_list() to sanitize parameters of integer arrays
  • Implements a more consistent approach to LIKE clause sanitization

See #4989

Props johnjamesjacoby

#5 @boonebgorges
7 years ago

In 7015:

Audit of parameter sanitization in Groups and Core database classes

  • Uses wp_parse_id_list() to sanitize parameters of integer arrays
  • Implements a more consistent approach to LIKE clause sanitization

Props johnjamesjacoby

Introduces a number of unit tests for the Groups and Core database classes, to
accompany the security hardening.

See #4989

#6 @johnjamesjacoby
7 years ago

In 7016:

Remove calls to trim() introduced in r7014 to still allow searching for beginning or ending spaces. See #4989.

#7 @johnjamesjacoby
7 years ago

In 7017:

Remove calls to trim() introduced in r7015 to still allow searching for beginning or ending spaces. See #4989.

#8 @johnjamesjacoby
7 years ago

In 7020:

More array sanitization hardening using wp_parse_id_list() in bp-groups-classes.php. See #4989 (1.7 branch)

#9 @johnjamesjacoby
7 years ago

In 7021:

More array sanitization hardening using wp_parse_id_list() in bp-groups-classes.php. See #4989 (trunk)

@DJPaul
7 years ago

@DJPaul
7 years ago

#10 @johnjamesjacoby
7 years ago

In 7029:

Use wp_parse_id_list() in BP_XProfile_FieldData::get_value_byid(). See #4989 (1.7 branch)

#11 @johnjamesjacoby
7 years ago

In 7030:

Use wp_parse_id_list() in BP_XProfile_FieldData::get_value_byid(). See #4989 (trunk)

#12 @boonebgorges
7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Marking resolved. Thanks for your work, all.

Note: See TracTickets for help on using tickets.