[wp-hackers] Any drawbacks in setting WP_CONTENT_DIR (and URL) to DOCUMENT_ROOT?

Otto otto at ottodestruct.com
Fri Jul 13 16:00:48 UTC 2012


On Fri, Jul 13, 2012 at 10:57 AM, Mike Little <wordpress at zed1.com> wrote:
>> > Haven't tested this, but anyone can preview any troubles with this setup
>> in
>> > wp-config.php?
>> > (WordPress installed at the root)
>> >
>> > define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] );
>> > define( 'WP_CONTENT_URL', 'http://www.example.com' );
>>
>>
> There are discussions around the net the $_SERVER['DOCUMENT_ROOT'] may be
> susceptible to hacking. In which case this is extremely dangerous because
> there are lots of places that require() or include() WP_CONTENT_DIR .
> 'something';

What Mike said.

In general, $_SERVER is not safe. It's a mix of information from the
webserver, some of which can be changed by the web browser connecting
to the server.

There are cases where the content in $_SERVER can be perfectly safe,
but for security purposes, it is better to always treat it as
untrusted data. For this specific case, hardcode the directory.

-Otto


More information about the wp-hackers mailing list