[wp-testers] Re: Bugs/Fixes, Security Requests

Admin admin at activeblogging.com
Mon Dec 1 11:04:21 GMT 2008


Hi - I'm sorry I'm a bit late to this list, but I encountered some 
bugs (w/fixes) in the code - hope it's not too late to add them. As 
well, I had some security requests:

Bugfix:
-------
"Warning: Cannot modify header information - headers already sent by..."

Caused on windows/apache install, when starting with no wp-config.php 
file - auto-creating it adds spaces at end, which gives this message 
(first visible during the install pages). The fix is to change this 
line 158@/wp-admin/setup-config.php to add +b for binary:

$handle = fopen('../wp-config.php', 'w+b');

this prevents the function from defaulting to text format, and 
inserting the extra lines (tested)


Security Request:
-----------------
Remove the generator meta display in themes when called by wp_head(), 
which is the hook set at line 173@/wp-includes/default-filters.php:

add_action('wp_head', 'wp_generator');

Although it can be removed in the theme or via plugin (I did a blog 
post at 
http://activeblogging.com/info/wordpress-security-version-numbers-and-themes/ 
explaining how), broadcasting the version by default seems a bad idea 
- an easy way for a spam program to patrol for older installs (or 
zero day exploits).


Request:
--------
Add non-indexing code to the login page to keep it out of indexes - 
it doesn't help search results, and exposes details of the site to 
casual viewers. To solve, you can insert this around about line 
48 at wp-login.php:

<meta name='robots' content='noindex,nofollow' />


Security Request:
-----------------
While a bit more involved, the security for the login page reveals a 
lot of information - if I enter a correct user name but bad password, 
it tells me; if I enter an invalid user name, it tells me. It might 
be a good idea to replace the specific messages with generic ones - 
eg "error: incorrect password or invalid username." This makes 
fishing for information less useful (for example, guessing user names 
and checking the message to see if they exist). The error strings 
involved all have ">ERROR<" in them, in wp-login.php


Misc:
-----
While fixing the generator metatag issue, I read the documentation at 
http://codex.wordpress.org/Function_Reference/remove_action that:

"To remove a hook, the $function_to_remove and $priority arguments 
must match when the hook was added...No warning will be given on 
removal failure."

While not a problem in my case, it means that if later on you change 
the priority of an action added, other code with remove actions will 
fail silently (unless they are updated to the same priority). This 
could be an unnecessary maintenance issue in the future. Perhaps a 
function could be exposed allowing ALL occurrences of the action 
function, regardless of priority, to be removed. I'd be happy to 
submit one if no one has time to write it.

Thanks
Dave




More information about the wp-testers mailing list