[wp-hackers] Potential (security) issue with Twenty Ten?
Mike Little
wordpress at zed1.com
Thu Jan 6 12:34:17 UTC 2011
On 6 January 2011 12:01, Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
> Hi,
>
> On 6 Jan 2011, at 11:26, Bjorn Wijers wrote:
>
> > Not sure if this is the right place to discuss this, so please point me
> in the right direction if this should be discussed somewhere else...
> >
>
> If you think you have found a security issue then you should contact the
> security "team" as documented here:
>
> http://codex.wordpress.org/Reporting_Bugs#Reporting_security_issues
>
>
and never on a public mailing list!
> > I was looking at Twenty Ten and noticed this piece of code below the
> theme textdomain loading in the functions.php:
> > ...
> > 93 $locale = get_locale();
> >
> > ... Also the $locale, as far as I can see although I haven't dived into
> it, does not get escaped. Somehow this looks kinda funky.
> >
>
$locale does not come from the outside world; only from setting in
wp-config.php or a plugin or theme that can filter the value. Therefore it
does not need escaping.
A simple check of the get_locale() function would have verified that.
Mike
--
Mike Little
http://zed1.com/
More information about the wp-hackers
mailing list