[wp-testers] Attachment bug?

Dougal Campbell dougal at gunters.org
Fri Feb 17 15:57:32 GMT 2006


Robert Deaton wrote:
> On 2/16/06, Dougal Campbell <dougal at gunters.org> wrote:
>> Personally, I feel that this is serious enough to warrant a 2.0.2. There
>> were some other post-2.0.1 bug fixes that we could roll in with it.
> 
> Agreed, the potential for this to be used as a security hole cannot go
> undiscovered, subselects and commenting the end of the query could
> allow various security leaks in some form or another I'm sure, as will
> darn near any SQL injection of any sort.

Oof, yeah, it would be a security problem on a site with multiple users 
with post privs.

Okay, it looks to me that after the 2.0.1 release (rev 3503), there were 
a few patches that changed major functionality (the addition of 
post_type, some page capability stuff, and pseudo-cron). But most of the 
commits have been bug fixes that could apply to a new interim release.

Looking back over the commits in my wp-svn mail folder, I'd say these 
could be used: 3504-3509, 3511, 3516, 3517, 3519-3521, 3523, 3524, 3527, 
3529, 3530, 3536-3544*. If I can find time today, I'll try applying 
these, and maybe put up a tarball/zip for folks to download and test.

[*] minus the post_type bits in 3539.

-- 
Dougal Campbell <dougal at gunters.org>
http://dougal.gunters.org/



More information about the wp-testers mailing list