[wp-hackers] Couple of quick questions: restrict access to plugin file and loading of l10n

Travis Snoozy ai2097 at users.sourceforge.net
Fri Oct 19 20:57:27 GMT 2007

On Fri, 19 Oct 2007 10:40:42 -0700, Andrew Ozz <admin at laptoptips.ca>

> Hi, I need a bit of advice about a plugin I'm working on.
> 1. I've read the discussion about restricting access to a plugin's
> php file from about a month ago and agree that there's no substitute
> for properly escaping and sanitizing user input, POST and GET
> requests, using wp_nonce, etc. But good security is build in layers,
> so I'm thinking to restrict the loading of the plugin's main php file
> like that:
> if( strpos($_SERVER['REQUEST_URI'], 'my-plugin.php') !== false &&
>      strpos($_SERVER['REQUEST_URI'], 'wp-admin') === false )
>      exit('some error message');
> (load my-plugin.php only if it's requested by a script from wp-admin 
> directory).

Don't overload the word "requested" here; it's confusing. The word
you're looking for is included. ;)

You'd much more likely want to go for a match to something like
get_option('blogurl') . "wp-admin" (with normalization on the URL to
get the trailing slash right, and possibly with anything in or before
the prefix area of  http://{prefix}.example.org/ cut out) if you're
going to insist on URL matching. This prevents things like posts with
wp-admin in the slug from being able to include the code.

Also, I wouldn't recommend doing an exit, except in really controlled
circumstances. Your plugin is included on every page load, and you
don't want to inadvertently cause pages on the main blog to
quit early. A better approach would be to have the main plugin file
simply be a guarded require_once() statement, that will only trigger
when all the checks pass. If you really want to exit, and are convinced
that you'll trigger only on truly intentional attempts at accessing the
code in question, consider using wp_die instead.

IMHO, a check with current_user_can('manage_options') would be
simpler, more restrictive, and more robust than an URL/script name


In Series maintainer
Random coder & quality guy

More information about the wp-hackers mailing list