[wp-trac] [WordPress Trac] #13317: Code Impriovement in get_userdata
WordPress Trac
wp-trac at lists.automattic.com
Sun May 16 02:13:07 UTC 2010
#13317: Code Impriovement in get_userdata
------------------------------------+---------------------------------------
Reporter: hakre | Owner:
Type: defect (bug) | Status: reopened
Priority: high | Milestone: 3.0
Component: Security | Version:
Severity: major | Resolution:
Keywords: has-patch dev-feedback |
------------------------------------+---------------------------------------
Comment(by hakre):
Replying to [comment:20 nacin]:
> Finally, there is a difference between returning an admin user object
''on error'' and stuffing absolute garbage into functions.
Yeah, totally right. I just wonder why - when the docblocks already
document that {{{$user_id}}} is to be int already you run absint() on it
anyway. I mean, it's already an integer, and if some adds garbage into
this function, like a negative integer, the function is not expceted to
return a user, right?
You should really reflect what you say here in the end.
Getting the admin when passing -1 to that function is not an equally well
thing either. But, let's better not do that strict, this is only about
user-management which is knowing to be an area, where to do things in a
secure manner isn't further important.
Sorry for so much irony.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13317#comment:22>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list