Skip to:
Content
Pages
Categories
Search
Top
Bottom

There is a serious bug in buddypress 1.2.3 signup validation

  • Profile photo of Faisal Zulfiqar
    Faisal Zulfiqar
    Participant

    @faisalzulfiqar

    Hi I work at mindblaze technologies,

    I was deploying a site for one of our clients opentuition.com and I found this.

    In bp-core/bp-core-signup.php

    This code has serious problem:

    $db_illegal_names = get_site_option( ‘illegal_names’ );

    $filtered_illegal_names = apply_filters( ‘bp_core_illegal_usernames’, array( ‘www’, ‘web’, ‘root’, ‘admin’, ‘main’, ‘invite’, ‘administrator’, BP_GROUPS_SLUG, BP_MEMBERS_SLUG, BP_FORUMS_SLUG, BP_BLOGS_SLUG, BP_REGISTER_SLUG, BP_ACTIVATION_SLUG ) );

    $illegal_names = array_merge( (array)$db_illegal_names, (array)$filtered_illegal_names );

    in it “array_merge” function is embedding “array( ‘www’, ‘web’, ‘root’, ‘admin’, ‘main’, ‘invite’, ‘administrator’, BP_GROUPS_SLUG, BP_MEMBERS_SLUG, BP_FORUMS_SLUG, BP_BLOGS_SLUG, BP_REGISTER_SLUG, BP_ACTIVATION_SLUG )” at the end of “$db_illegal_names” so every time validation function is called it gets appended and the size of this field starts to increase until the point that it breaks the update query which becomes huge after a hundred sign ups or so.

    the last line should be like this:

    $common_names = array_intersect( (array)$db_illegal_names, (array)$filtered_illegal_names );

    $diff_names = array_diff( (array)$db_illegal_names, (array)$filtered_illegal_names );

    $illegal_names = array_merge( (array)$diff_names, (array)$common_names );

    “array_merge” function merges arrays with numeric keys that is why here we can not use “array_merge”

Viewing 8 replies - 1 through 8 (of 8 total)
  • Profile photo of Hugo
    Hugo
    Moderator

    @hnla

    Profile photo of Faisal Zulfiqar
    Faisal Zulfiqar
    Participant

    @faisalzulfiqar

    this thread should be running as it contains the solution

    Profile photo of Hugo
    Hugo
    Moderator

    @hnla

    You’ll probably get asked to add a ticket to Trac

    I was simply pointing out that this appears to be verified as such by another thread. it wasn’t a criticism :) nor am I a mod on this forum.

    I assume this is not an issue pre 1.2.3?

    Why have you re posted this ? now three threads. A dev or mod will see this soon I guess but how about adding a critical ticket to Trac like most of are asked to do? or perhaps you have?

    Profile photo of Jeff Sayre
    Jeff Sayre
    Participant

    @jeffsayre

    hnla is correct. Bringing bugs, or even potential bugs, to the dev team’s attention is always appreciated! But, it will not be investigated nor remembered if it is not added to the bug tracking system in Trac.

    So, please log into Trac (you use the same credentials to do that as you do for these forums) and create a new Bug ticket.

    I have deleted the other thread. I could not find a second duplicate.

    Profile photo of Faisal Zulfiqar
    Faisal Zulfiqar
    Participant

    @faisalzulfiqar

    Thanks Jeff Sayre

    I wasnt able to login on trac before, then i figured out how to login and posted the bug in trac.

    Profile photo of rich! @ etiviti
    rich! @ etiviti
    Participant

    @nuprn1

    oh wow – just checked a few installs, thanks for the find.

    though that fix above updates the illegal_names _options table with a blank array

    Profile photo of r-a-y
    r-a-y
    Moderator

    @r-a-y

    Thanks @faisalzulfiqar.

    JJJ has fixed this in changeset 2928:

    https://trac.buddypress.org/changeset/2928

    Profile photo of John James Jacoby
    John James Jacoby
    Keymaster

    @johnjamesjacoby

    Fixed in branch. Expect a point release soon to address this and a few other sign-up issues.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘There is a serious bug in buddypress 1.2.3 signup validation’ is closed to new replies.