Skip to:
Content

BuddyPress.org

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#4992 closed defect (bug) (fixed)

Sanitization improvements to BP_Core_User methods

Reported by: johnjamesjacoby Owned by: boonebgorges
Milestone: 1.7.2 Priority: highest
Severity: critical Version: 1.2
Component: Core Keywords: has-patch
Cc:

Description

As part of a bigger audit related to #4985, I've found several methods that trust the values passed into them that should also be utilizing wp_parse_id_list().

  • get_users()
  • get_specific_users()
  • get_user_extras()

It's worth noting that get_user_extras() seems to expect an array already, though wp_parse_id_list() is smart enough to figure out strings. Patch attached.

Attachments (3)

4992.patch (3.9 KB) - added by johnjamesjacoby 7 years ago.
4992.2.patch (5.1 KB) - added by johnjamesjacoby 7 years ago.
Includes other bp-core component IN () query usages
4989.core.1.patch (7.1 KB) - added by DJPaul 7 years ago.

Download all attachments as: .zip

Change History (7)

@johnjamesjacoby
7 years ago

Includes other bp-core component IN () query usages

@DJPaul
7 years ago

#1 @DJPaul
7 years ago

Attached path with my audit of the core component, too.

#2 @boonebgorges
7 years ago

Thanks, guys. I've reviewed the two patches. There were one or two places where each of you caught something that the other hadn't, so it's nice to have many eyes.

For the sake of standardization, I've gone with the following strategy and syntax for sanitizing integer lists for use in a query:

$include = implode( ',', wp_parse_id_list( $include ) );
  • one line, easy to read
  • No need to run through esc_sql(). All that does is addslashes() (wpdb::_weak_escape()). The return value of wp_parse_id_list() will always be an array of positive integers, so imploding them with commas will never result in anything that needs to be slashed (single quotes, double quotes, backslash, null character).

I'm also including, in the trunk commit, a number of tests for the more delicate of the database classes.

#3 @boonebgorges
7 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 7024:

Improved sanitization for Core component database methods

All constructed IN clauses for integer values are now run through
wp_parse_id_list().

Also adds tests for the relevant methods.

Fixes #4992

Props johnjamesjacoby, DJPaul

#4 @boonebgorges
7 years ago

In 7025:

Improved sanitization in the Core component database methods

All constructed IN clauses for integer values are now run through
wp_parse_id_list().

Fixes #4992 for the 1.7 branch

Props johnjamesjacoby, DJPaul

Note: See TracTickets for help on using tickets.