[wp-hackers] Making WP more secure the evolutionary way

Florian Thiel flo.thiel+wphackers at googlemail.com
Thu Jan 22 10:20:55 GMT 2009


On Thu, Jan 22, 2009 at 12:21 AM, DD32 <wordpress at dd32.id.au> wrote:
> You might be interested in:
> http://trac.wordpress.org/ticket/6836
> http://trac.wordpress.org/ticket/7171

Yes, that's what I meant with "you already have some abstraction in
place but it's being used everywhere. I want to make it real easy to
pick up the places that need updating.

> Also, It seems to be that you're suggesting in your patch that using
> raw SQL (even though its prepared) is a bad idea?  Or am i reading it
> wrong? :)

Yes, that's my point, I'm probably not making that clear enough. The
whole idea is centralising access to the database. When you have 5
places in the system where the db is accessed, it's really easy to fix
things once you notice there is a security vulnerability. You're
fixing it in one place and all callers profit from that. Experience
shows that if you have critical things like db access all over the
place you will forget updating one or two places when applying a
security fix. When you look at the last XSS incidents with WP, there's
the exact pattern. The problem was fixed by applying another magic
escaping method to the vulnerable spot. This probably leaves other
places vulnerable because escaping is not done in a consistent way
everywhere it's used. Obviously, you still need to find all the places
where db access (or client output) happens. But you only have to do
that one time.

Does that make sense to you?

Florian

> 2009/1/22 Florian Thiel <flo.thiel+wphackers at googlemail.com>:
>> I produced a patch against WordPress 2.7 which annotates and
>> classifies all uses of raw inline SQL. The classification tells you
>> how much work it would be to get rid of the inline use of SQL. The
>> patch can be found at
>> http://www.noroute.de/downloads/research/wordpress-2.7_sqlannotations.diff
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list