Require numeric IDs in user deletion functions.

`wp_delete_user()` and `wpmu_delete_user()` both require an `$id` parameter. Previously, the functions did not verify that the value passed was, in fact, a number. As such, passing an object or any other entity that would be cast to int `1` would result in user 1 being deleted. We fix this by enforcing the requirement that `$id` be numeric. Props dipesh.kakadiya, utkarshpatel, juliobox. Fixes #33800. git-svn-id: https://develop.svn.wordpress.org/trunk@34034 602fd350-edb4-49c9-b593-d223f7449a82
2015-09-11 02:24:03 +00:00 · 2015-09-11 02:24:03 +00:00 · 5b9d9c7c07
commit 5b9d9c7c07
parent 40a0d1f3cb
4 changed files with 63 additions and 0 deletions
--- a/src/wp-admin/includes/ms.php
+++ b/src/wp-admin/includes/ms.php
@ -185,6 +185,10 @@ function wpmu_delete_blog( $blog_id, $drop = false ) {
 function wpmu_delete_user( $id ) {
 	global $wpdb;

+	if ( ! is_numeric( $id ) ) {
+		return false;
+	}
+
 	$id = (int) $id;
 	$user = new WP_User( $id );

--- a/src/wp-admin/includes/user.php
+++ b/src/wp-admin/includes/user.php
@ -273,6 +273,10 @@ function get_users_drafts( $user_id ) {
 function wp_delete_user( $id, $reassign = null ) {
 	global $wpdb;

+	if ( ! is_numeric( $id ) ) {
+		return false;
+	}
+
 	$id = (int) $id;
 	$user = new WP_User( $id );

--- a/tests/phpunit/tests/user/multisite.php
+++ b/tests/phpunit/tests/user/multisite.php
@ -344,6 +344,29 @@ class Tests_Multisite_User extends WP_UnitTestCase {
 		}
 	}

+	public function test_numeric_string_user_id() {
+		$u = $this->factory->user->create();
+
+		$u_string = (string) $u;
+		$this->assertTrue( wpmu_delete_user( $u_string ) );
+		$this->assertFalse( get_user_by( 'id', $u ) );
+	}
+
+	/**
+	 * @ticket 33800
+	 */
+	public function test_should_return_false_for_non_numeric_string_user_id() {
+		$this->assertFalse( wpmu_delete_user( 'abcde' ) );
+	}
+
+	/**
+	 * @ticket 33800
+	 */
+	public function test_should_return_false_for_object_user_id() {
+		$u_obj = $this->factory->user->create_and_get();
+		$this->assertFalse( wpmu_delete_user( $u_obj ) );
+		$this->assertEquals( $u_obj->ID, username_exists( $u_obj->user_login ) );
+	}
 }

 endif ;
--- a/tests/phpunit/tests/user/wpDeleteUser.php
+++ b/tests/phpunit/tests/user/wpDeleteUser.php
@ -125,4 +125,36 @@ class Tests_User_WpDeleteUser extends WP_UnitTestCase {
 		$post = get_post( $post_id );
 		$this->assertEquals( $reassign, $post->post_author );
 	}
+
+	public function test_numeric_string_user_id() {
+		if ( is_multisite() ) {
+			$this->markTestSkipped( 'wp_delete_user() does not delete user records in Multisite.' );
+		}
+
+		$u = $this->factory->user->create();
+
+		$u_string = (string) $u;
+		$this->assertTrue( wp_delete_user( $u_string ) );
+		$this->assertFalse( get_user_by( 'id', $u ) );
+	}
+
+	/**
+	 * @group 33800
+	 */
+	public function test_should_return_false_for_non_numeric_string_user_id() {
+		$this->assertFalse( wp_delete_user( 'abcde' ) );
+	}
+
+	/**
+	 * @group 33800
+	 */
+	public function test_should_return_false_for_object_user_id() {
+		if ( is_multisite() ) {
+			$this->markTestSkipped( 'wp_delete_user() does not delete user records in Multisite.' );
+		}
+
+		$u_obj = $this->factory->user->create_and_get();
+		$this->assertFalse( wp_delete_user( $u_obj ) );
+		$this->assertEquals( $u_obj->ID, username_exists( $u_obj->user_login ) );
+	}
 }