Possible bug with user creation (might be in core, not sure)

  • We have at least one user with an apostrophe in their SSO username (let’s say their username is “jane_o’toole”). The Shibboleth plugin won’t let them log in — WordPress is creating their local account with the username “jane_otoole” instead of one that matches their username.

    I tried manually updating the database, to change their username to “jane_o’toole” but that didn’t help. WordPress created a second account for her, so now there are accounts with usernames “jane_otoole” and “jane_o’toole”.

    I’m not sure if this is a bug in how the Shibboleth plugin is creating their local accounts, or if it’s a bug in WordPress itself. (It honestly feels like some well-intentioned “protection” from SQL injection.) Any pointers would be greatly appreciated.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Jonathan Champ

    (@jrchamp)

    Hi @desmith

    To create a user, we call wp_insert_user() which calls sanitize_user() in strict mode.

    To find a user, we call get_data_by() which calls sanitize_user() in non-strict mode.

    WordPress core is probably doing the right thing, fixing things when they first get added and not having magic behaviors when you’re trying to fetch existing information.

    For our plugin and from a security perspective, if there were two accounts in your SSO, one with an apostrophe and one without, if we were to call sanitize_user() in strict mode before looking up the account, it will return the same value for both users. This is particularly problematic if you have an admin account desmith and someone creates an account d'esmith, because now that (likely malicious) user has admin access.

    I haven’t come up with a good answer yet, but this may be something good to discuss on the GitHub repository: https://github.com/michaelryanmcneill/shibboleth

    A potential workaround would be to limit the SSO identifier to the set of characters that are allowed by the WordPress sanitize_user() function: [a-zA-Z0-9 _.\-@]. Very painful if the SSO is already widely used.

    For the moment, I’m going to mark this as resolved, because I think we both now understand the source of the problem. If you are willing, please do open a GitHub Issue so that you’re included in any discussion that occurs.

    Thread Starter David E. Smith

    (@desmith)

    Issue opened. This looks like in theory it’s a one-liner, but there’s a lot of potential discussion to be had around that one line. ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Possible bug with user creation (might be in core, not sure)’ is closed to new replies.

Tags