Making WordPress.org

Changeset 12075


Ignore:
Timestamp:
09/20/2022 06:25:36 AM (2 years ago)
Author:
dd32
Message:

Login: Check the data type of the passed data, this prevents PHP Notices when junk input is provided to the public login/register forms.

Location:
sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/login.php

    r11380 r12075  
    1010// Prefill the username if possible.
    1111$username = $_REQUEST['user'] ?? ( wp_parse_auth_cookie()['username'] ?? '' );
     12if ( ! is_string( $username ) ) {
     13    $username = '';
     14}
    1215
    1316// Redirect is validated at redirect time, just pass through whatever we can.
    14 if ( !empty( $_REQUEST['redirect_to'] ) ) {
     17if ( ! empty( $_REQUEST['redirect_to'] ) ) {
    1518    $redirect = wp_unslash( $_REQUEST['redirect_to'] );
    1619} elseif ( $referer = wp_get_referer() ) {
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/register.php

    r11505 r12075  
    66 */
    77
    8 $user_login       = isset( $_POST['user_login'] ) ? trim( wp_unslash( $_POST['user_login'] ) ) : '';
    9 $user_email       = isset( $_POST['user_email'] ) ? trim( wp_unslash( $_POST['user_email'] ) ) : '';
     8$user_login       = isset( $_POST['user_login'] ) && is_string( $_POST['user_login'] ) ? trim( wp_unslash( $_POST['user_login'] ) ) : '';
     9$user_email       = isset( $_POST['user_email'] ) && is_string( $_POST['user_email'] ) ? trim( wp_unslash( $_POST['user_email'] ) ) : '';
    1010$user_mailinglist = isset( $_POST['user_mailinglist'] ) && 'true' == $_POST['user_mailinglist'];
    11 $terms_of_service = isset( $_POST['terms_of_service'] ) ? $_POST['terms_of_service'] : false;
     11$terms_of_service = isset( $_POST['terms_of_service'] ) ? intval( $_POST['terms_of_service'] ) : false;
    1212
    1313if ( ! $user_login && ! empty( WP_WPOrg_SSO::$matched_route_params['user'] ) ) {
Note: See TracChangeset for help on using the changeset viewer.