[wp-trac] Re: [WordPress Trac] #8770: Add role filtering to user editing code to secure edit_users capabiltity (security)

WordPress Trac wp-trac at lists.automattic.com
Tue Jan 6 21:35:43 GMT 2009 

#8770: Add role filtering to user editing code to secure edit_users capabiltity
(security)
--------------------------------------------------+-------------------------
 Reporter:  jeremyclarke                          |        Owner:  jeremyclarke
     Type:  defect (bug)                          |       Status:  new         
 Priority:  normal                                |    Milestone:  2.8         
Component:  Security                              |      Version:              
 Severity:  normal                                |   Resolution:              
 Keywords:  has-patch capabilities needs-testing  |  
--------------------------------------------------+-------------------------
Comment (by ryan):

 Replying to [comment:3 jeremyclarke]:
 > re: empty array from get_editable_roles() - I don't think this is
 necessary because any situation where a user is being edited already has a
 check in it to make sure. In fact I think by the time you've edited a user
 the current_user_can('edit_users') has been run many many times (whcih is
 good because it avoids various sneaky attacks using $_POST). In all the
 cases I saw it was very well established that the user can edit_users,
 both in the processing of $_POST and before even displaying the ui
 elements needed to initiate a user edit.

 The phpdoc for get_editable_roles() is incorrect, however, if it always
 returns a full set of roles regardless of user.

 > re: wp-admin/users.php changes allowing edits - the patch is deceptive,
 if you look just below the changes in the actual file you see that there
 are specific checks to current_user_can('edit_user', $id), which will
 return false if just 'edit_users' was false, and goes even further to
 ensure that each specific user is editable. I just removed the plain
 edit_users check because it was redundant and would have some miniscule
 effect on performance. If that makes you nervous please just undo that
 change and keep the rest.

 Okay, sounds like we're fine.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/8770#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list