Skip to:
Content

BuddyPress.org

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#4993 closed defect (bug) (fixed)

Improve friends component class methods sanitization

Reported by: johnjamesjacoby Owned by: boonebgorges
Milestone: 1.7.2 Priority: highest
Severity: critical Version: 1.2
Component: Friends Keywords: has-patch
Cc:

Description

See #4898, #4992.

Some methods in the BP_Friends_Friendship class could be sanitized better, usually with wp_parse_id_list()

Patch attached

Attachments (1)

4993.patch (2.1 KB) - added by johnjamesjacoby 7 years ago.

Download all attachments as: .zip

Change History (4)

#1 @boonebgorges
7 years ago

Wow, there are some weird, obscure methods in this class. search_users() and search_users_count() don't have anything to do with friendships. This must be the fossilized remains of the earliest BP?

#2 @boonebgorges
7 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 7026:

Improved sanitization for Friends component database methods

  • All integer lists for IN clauses are run through wp_parse_id_list()
  • Search terms now escaped in the correct order

Also adds unit tests for touched methods

Fixes #4993

Props johnjamesjacoby

#3 @boonebgorges
7 years ago

In 7027:

Improved sanitization for Friends component database methods

  • All integer lists for IN clauses are run through wp_parse_id_list()
  • Search terms now escaped in the correct order

Fixes #4993 for the 1.7 branch

Props johnjamesjacoby

Note: See TracTickets for help on using tickets.