There is a serious bug in buddypress 1.2.3 signup validation
-
Hi I work at mindblaze technologies,
I was deploying a site for one of our clients opentuition.com and I found this.
In bp-core/bp-core-signup.php
This code has serious problem:
$db_illegal_names = get_site_option( ‘illegal_names’ );
$filtered_illegal_names = apply_filters( ‘bp_core_illegal_usernames’, array( ‘www’, ‘web’, ‘root’, ‘admin’, ‘main’, ‘invite’, ‘administrator’, BP_GROUPS_SLUG, BP_MEMBERS_SLUG, BP_FORUMS_SLUG, BP_BLOGS_SLUG, BP_REGISTER_SLUG, BP_ACTIVATION_SLUG ) );
$illegal_names = array_merge( (array)$db_illegal_names, (array)$filtered_illegal_names );
in it “array_merge” function is embedding “array( ‘www’, ‘web’, ‘root’, ‘admin’, ‘main’, ‘invite’, ‘administrator’, BP_GROUPS_SLUG, BP_MEMBERS_SLUG, BP_FORUMS_SLUG, BP_BLOGS_SLUG, BP_REGISTER_SLUG, BP_ACTIVATION_SLUG )” at the end of “$db_illegal_names” so every time validation function is called it gets appended and the size of this field starts to increase until the point that it breaks the update query which becomes huge after a hundred sign ups or so.
the last line should be like this:
$common_names = array_intersect( (array)$db_illegal_names, (array)$filtered_illegal_names );
$diff_names = array_diff( (array)$db_illegal_names, (array)$filtered_illegal_names );
$illegal_names = array_merge( (array)$diff_names, (array)$common_names );
“array_merge” function merges arrays with numeric keys that is why here we can not use “array_merge”
-
You’ll probably get asked to add a ticket to Trac
I was simply pointing out that this appears to be verified as such by another thread. it wasn’t a criticism
nor am I a mod on this forum.I assume this is not an issue pre 1.2.3?
Why have you re posted this ? now three threads. A dev or mod will see this soon I guess but how about adding a critical ticket to Trac like most of are asked to do? or perhaps you have?
- The topic ‘There is a serious bug in buddypress 1.2.3 signup validation’ is closed to new replies.
