[wp-testers] Re: Bugs/Fixes, Security Requests

Jacob Santos wordpress at santosj.name
Mon Dec 1 14:31:05 GMT 2008


See reply below previous messages.

Admin wrote:
> Hi - I'm sorry I'm a bit late to this list, but I encountered some 
> bugs (w/fixes) in the code - hope it's not too late to add them. As 
> well, I had some security requests:
>
> Bugfix:
> -------
> "Warning: Cannot modify header information - headers already sent by..."
>
> Caused on windows/apache install, when starting with no wp-config.php 
> file - auto-creating it adds spaces at end, which gives this message 
> (first visible during the install pages). The fix is to change this 
> line 158@/wp-admin/setup-config.php to add +b for binary:
>
> $handle = fopen('../wp-config.php', 'w+b');
>
> this prevents the function from defaulting to text format, and 
> inserting the extra lines (tested)

I don't think writing text is binary, but okay. It isn't about that, as 
it is about the new line character. I've been using the 
wp-admin/setup-config.php and not once has it created an extra newline 
where it shouldn't. Would be nice to do it, if it works and fixes the 
problem.

> Security Request:
> -----------------
> Remove the generator meta display in themes when called by wp_head(), 
> which is the hook set at line 173@/wp-includes/default-filters.php:
>
> add_action('wp_head', 'wp_generator');
>
> Although it can be removed in the theme or via plugin (I did a blog 
> post at 
> http://activeblogging.com/info/wordpress-security-version-numbers-and-themes/ 
> explaining how), broadcasting the version by default seems a bad idea 
> - an easy way for a spam program to patrol for older installs (or zero 
> day exploits).

Like you said, you can already remove it. That was the reason it was 
added as to the filter as opposed to being hard coded. Well, one of the 
reasons.

> Request:
> --------
> Add non-indexing code to the login page to keep it out of indexes - it 
> doesn't help search results, and exposes details of the site to casual 
> viewers. To solve, you can insert this around about line 48 at wp-login.php:
>
> <meta name='robots' content='noindex,nofollow' />

Well, you could probably do this using a plugin as well. Also you can 
add it to the robots.txt file for good measure.

>
> Security Request:
> -----------------
> While a bit more involved, the security for the login page reveals a 
> lot of information - if I enter a correct user name but bad password, 
> it tells me; if I enter an invalid user name, it tells me. It might be 
> a good idea to replace the specific messages with generic ones - eg 
> "error: incorrect password or invalid username." This makes fishing 
> for information less useful (for example, guessing user names and 
> checking the message to see if they exist). The error strings involved 
> all have ">ERROR<" in them, in wp-login.php

This horse as already been beaten to death, risen from the dead and then 
set on fire to prevent the zombie from coming back. The reason for it 
(from what I can remember from past discussions) are 1) security through 
obscurity usually isn't and 2) It is very helpful when you've forgotten 
both your username and password and don't have immediate or any access 
to the database tables.

>
>
> Misc:
> -----
> While fixing the generator metatag issue, I read the documentation at 
> http://codex.wordpress.org/Function_Reference/remove_action that:
>
> "To remove a hook, the $function_to_remove and $priority arguments 
> must match when the hook was added...No warning will be given on 
> removal failure."
>
> While not a problem in my case, it means that if later on you change 
> the priority of an action added, other code with remove actions will 
> fail silently (unless they are updated to the same priority). This 
> could be an unnecessary maintenance issue in the future. Perhaps a 
> function could be exposed allowing ALL occurrences of the action 
> function, regardless of priority, to be removed. I'd be happy to 
> submit one if no one has time to write it.

It is never going to change. You have no need to worry.

Jacob Santos



More information about the wp-testers mailing list