[wp-trac] Re: [WordPress Trac] #5565: Plugin can hook into any functions or variables inside WP

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 2 02:43:24 GMT 2008


#5565: Plugin can hook into any functions or variables inside WP
-------------------------+--------------------------------------------------
 Reporter:  keithdsouza  |        Owner:  anonymous
     Type:  defect       |       Status:  closed   
 Priority:  low          |    Milestone:           
Component:  Security     |      Version:           
 Severity:  normal       |   Resolution:  invalid  
 Keywords:               |  
-------------------------+--------------------------------------------------
Changes (by darkdragon):

  * status:  new => closed
  * resolution:  => invalid
  * milestone:  2.5 =>

Comment:

 Indeed that has been possible, but the plugin would have to be first
 enabled by the user. However, from your previous tickets, you have stated
 that a user might be able to inject plugin code which would disrupt the
 plugin process.

 There is no PHP 4 compatible solution that can solve this however. It is
 up to the user to make sure that the plugin they are downloading and
 upgrading is "safe" and up to the community to point out any plugins that
 aren't.

 WordPress can't protect Users from themselves and any hacking attempt that
 gets this far would need to have the hole that allowed the hacker to
 initiate code such as this.

 This ticket as it stands has no solution or not one that doesn't require
 forcing PHP5 to use private/protected class members or writing the plugin
 API as an extension.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5565#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list