Skip to:
Content
Pages
Categories
Search
Top
Bottom

There is a serious bug in buddypress 1.2.3 signup validation

  • Avatar of Faisal Zulfiqar
    Faisal Zulfiqar
    Participant

    @faisalzulfiqar

    Hi I work at mindblaze technologies,

    I was deploying a site for one of our clients opentuition.com and I found this.

    In bp-core/bp-core-signup.php

    This code has serious problem:

    $db_illegal_names = get_site_option( ‘illegal_names’ );

    $filtered_illegal_names = apply_filters( ‘bp_core_illegal_usernames’, array( ‘www’, ‘web’, ‘root’, ‘admin’, ‘main’, ‘invite’, ‘administrator’, BP_GROUPS_SLUG, BP_MEMBERS_SLUG, BP_FORUMS_SLUG, BP_BLOGS_SLUG, BP_REGISTER_SLUG, BP_ACTIVATION_SLUG ) );

    $illegal_names = array_merge( (array)$db_illegal_names, (array)$filtered_illegal_names );

    in it “array_merge” function is embedding “array( ‘www’, ‘web’, ‘root’, ‘admin’, ‘main’, ‘invite’, ‘administrator’, BP_GROUPS_SLUG, BP_MEMBERS_SLUG, BP_FORUMS_SLUG, BP_BLOGS_SLUG, BP_REGISTER_SLUG, BP_ACTIVATION_SLUG )” at the end of “$db_illegal_names” so every time validation function is called it gets appended and the size of this field starts to increase until the point that it breaks the update query which becomes huge after a hundred sign ups or so.

    the last line should be like this:

    $common_names = array_intersect( (array)$db_illegal_names, (array)$filtered_illegal_names );

    $diff_names = array_diff( (array)$db_illegal_names, (array)$filtered_illegal_names );

    $illegal_names = array_merge( (array)$diff_names, (array)$common_names );

    “array_merge” function merges arrays with numeric keys that is why here we can not use “array_merge”

Viewing 8 replies - 1 through 8 (of 8 total)
Viewing 8 replies - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.