[wp-testers] Re: Bugs/Fixes, Security Requests
Admin
admin at activeblogging.com
Mon Dec 1 11:04:21 GMT 2008
Hi - I'm sorry I'm a bit late to this list, but I encountered some
bugs (w/fixes) in the code - hope it's not too late to add them. As
well, I had some security requests:
Bugfix:
-------
"Warning: Cannot modify header information - headers already sent by..."
Caused on windows/apache install, when starting with no wp-config.php
file - auto-creating it adds spaces at end, which gives this message
(first visible during the install pages). The fix is to change this
line 158@/wp-admin/setup-config.php to add +b for binary:
$handle = fopen('../wp-config.php', 'w+b');
this prevents the function from defaulting to text format, and
inserting the extra lines (tested)
Security Request:
-----------------
Remove the generator meta display in themes when called by wp_head(),
which is the hook set at line 173@/wp-includes/default-filters.php:
add_action('wp_head', 'wp_generator');
Although it can be removed in the theme or via plugin (I did a blog
post at
http://activeblogging.com/info/wordpress-security-version-numbers-and-themes/
explaining how), broadcasting the version by default seems a bad idea
- an easy way for a spam program to patrol for older installs (or
zero day exploits).
Request:
--------
Add non-indexing code to the login page to keep it out of indexes -
it doesn't help search results, and exposes details of the site to
casual viewers. To solve, you can insert this around about line
48 at wp-login.php:
<meta name='robots' content='noindex,nofollow' />
Security Request:
-----------------
While a bit more involved, the security for the login page reveals a
lot of information - if I enter a correct user name but bad password,
it tells me; if I enter an invalid user name, it tells me. It might
be a good idea to replace the specific messages with generic ones -
eg "error: incorrect password or invalid username." This makes
fishing for information less useful (for example, guessing user names
and checking the message to see if they exist). The error strings
involved all have ">ERROR<" in them, in wp-login.php
Misc:
-----
While fixing the generator metatag issue, I read the documentation at
http://codex.wordpress.org/Function_Reference/remove_action that:
"To remove a hook, the $function_to_remove and $priority arguments
must match when the hook was added...No warning will be given on
removal failure."
While not a problem in my case, it means that if later on you change
the priority of an action added, other code with remove actions will
fail silently (unless they are updated to the same priority). This
could be an unnecessary maintenance issue in the future. Perhaps a
function could be exposed allowing ALL occurrences of the action
function, regardless of priority, to be removed. I'd be happy to
submit one if no one has time to write it.
Thanks
Dave
More information about the wp-testers
mailing list