[buddypress-trac] [BuddyPress] #4758: bp_forums_reply_exists misses to escape in db query
buddypress-trac
noreply at wordpress.org
Wed Jan 9 13:44:38 UTC 2013
#4758: bp_forums_reply_exists misses to escape in db query
--------------------------+-----------------------------
Reporter: wpdennis | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Forums | Version: 1.6.1
Severity: major | Keywords: dev-feedback
--------------------------+-----------------------------
The function ''bp_forums_reply_exists'' adds a filter to
''get_posts_where'' without escaping the specified value:
{{{
// BB_Query's post_text parameter does a MATCH, while we need exact
matches
add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND
p.post_text = \'' . $text . '\'";' ) );
}}}
In http://buddypress.trac.wordpress.org/browser/trunk/bp-forums/bp-forums-
functions.php on line 366.
Since it´s a public function it seems to be a security risk. I found it,
because a post ending with the smiley ":\" will throw a mysql error (the
backslash escapes the ' in the query).
Suggestion for escaping:
{{{
global $wpdb;
add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND
p.post_text = \'' . $wpdb->escape($text) . '\'";' ) );
}}}
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4758>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list