Skip to:
Content

bbPress.org

Opened 10 years ago

Closed 9 years ago

Last modified 6 years ago

#2742 closed defect (bug) (fixed)

Improve user submitted data sanitization

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by:
Milestone: 2.6 Priority: normal
Severity: normal Version: 2.0
Component: Tools - Code Improvements Keywords: commit
Cc:

Description

This ticket is for general improvements to user submitted data sanitization.

There are a few places where form fields could be more appropriately sanitized. WordPress functions like sanitize_key() & sanitize_user() are being under utilized, and some $_POST and $_GET values are being trusted a bit more than they should be.

Commits imminent.

Change History (10)

#1 @johnjamesjacoby
10 years ago

In 5587:

Use sanitize_key() in bbp_post_request() and bbp_get_request(), improving the predictability of possible actions. See #2742.

#2 @johnjamesjacoby
10 years ago

In 5588:

Use sanitize_key() in bbp_get_form_reply_status_dropdown() to ensure value is within expected boundaries. See #2742.

#3 @johnjamesjacoby
10 years ago

In 5589:

Use sanitize_key() in topics/functions.php to ensure values are within expected boundaries. See #2742.

#4 @johnjamesjacoby
10 years ago

In 5590:

Use sanitize_user() in bbp_user_maybe_convert_pass() to ensure user login is within expected boundaries. See #2742.

#5 @johnjamesjacoby
10 years ago

In 5591:

Use sanitize_key() in bbp_profile_update_role() to ensure role value is within expected boundaries. See #2742.

#6 @johnjamesjacoby
10 years ago

In 5592:

Use sanitize_key() in forums/template.php to ensure values are within expected boundaries. See #2742.

#7 @johnjamesjacoby
10 years ago

In 5593:

Cast value as (int) in bbp_get_form_forum_parent(), ensuring it is numerical for the remaining call stack. See #2742.

#8 @johnjamesjacoby
10 years ago

In 5594:

s/POST/GET/ from r5587. See #2742.

#9 @johnjamesjacoby
9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Let's call this fixed and commit to it later if necessary.

#10 @johnjamesjacoby
6 years ago

Assigning all closed & unassigned tickets in the 2.6 milestone to myself.

Note: See TracTickets for help on using tickets.