[wp-hackers] 1.5.1.3 XMLRPC problems

Scott Merrill skippy at skippy.net
Wed Jun 29 16:36:38 GMT 2005


Ryan Boren wrote:
> On Wed, 2005-06-29 at 12:17 -0400, Robert Deaton wrote:
> 
>>Before I forget, hat tip to skippy for tracing down the line that was
>>causing the problem, but the obvious solution of doing $this->escape
>>on every $arg but $arg[3] didn't work, but $wpdb->escape does and
>>achieves the same purpose. I haven't had time to look into why
>>$this->escape doesn't work, in fact, I have not a damn clue what it
>>is.
> 
> 
> Not escaping the content_struct will result in breakage with content
> that contains quotes.  A better solution might be to have the xmlrpc
> escape() method not escape objects.

I admit to being a little out of my league with regards to the specifics
of XMLRPC; but does this patch (not escaping objects) re-open the XMLRPC
vulnerability that 1.5.1.3 was intended to fix?

-- 
skippy at skippy.net | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35


More information about the wp-hackers mailing list