[wp-hackers] XMLRPC problems

Ryan Boren ryan at boren.nu
Wed Jun 29 16:46:44 GMT 2005

On Wed, 2005-06-29 at 12:36 -0400, Scott Merrill wrote:
> Ryan Boren wrote:
> > On Wed, 2005-06-29 at 12:17 -0400, Robert Deaton wrote:
> > 
> >>Before I forget, hat tip to skippy for tracing down the line that was
> >>causing the problem, but the obvious solution of doing $this->escape
> >>on every $arg but $arg[3] didn't work, but $wpdb->escape does and
> >>achieves the same purpose. I haven't had time to look into why
> >>$this->escape doesn't work, in fact, I have not a damn clue what it
> >>is.
> > 
> > 
> > Not escaping the content_struct will result in breakage with content
> > that contains quotes.  A better solution might be to have the xmlrpc
> > escape() method not escape objects.
> I admit to being a little out of my league with regards to the specifics
> of XMLRPC; but does this patch (not escaping objects) re-open the XMLRPC
> vulnerability that was intended to fix?

No.  There are only a couple of objects involved, most everything is a
string.  The object causing the problem here is IXR_Date.  IXR_Date
slices and dices the incoming date string and makes it safe for use.
So, it's contents don't need to be escaped.


More information about the wp-hackers mailing list