[wp-hackers] add_magic_quotes() Plans for removal?

Kevin Newman CaptainN at unFocus.com
Mon Mar 7 19:32:17 UTC 2011


On 3/7/11 10:25 AM, Peter Westwood wrote:
> As has been said in response to previous threads on this subject.
>
> We would love to remove this code but we can't without opening up numerous possible security issues in plugins which unfortunately rely on it.
>
> If you want to go through and review every plugin in the plugin repo.
> Create patches and get them accepted by the plugin authors.
>
> Then we can consider removing this code. Until then it is not a good idea.
>
> Cheers
> -- Peter Westwood
Hi Peter,

I made two suggestions to deal with this, including at least adding a 
way for those of us who want to develop responsibly to be able to do so, 
by checking the php.ini setting. WordPress is BREAKING this, and it 
should be fixed (which doesn't imply it has to stop magic quoting anything).

I also suggested making it a config option to sidestep the issue of 
opening up security vulnerabilities, which would be off by default. I 
will not use the plugins in question, and would love to be able to 
toggle this off for my own purposes, understanding the risks.

Here's another idea - some way for new plugins to call a method that 
would disable this for the plugin (you can already do it manually - in 
fact some are just doing it to the $_POST array - which will open that 
security vulnerability - there's something to think about). You could 
then call up a deprecation message for any plugin that doesn't actually 
disable this (this needs more thought, but you get the idea).

It's true that changing this is problematic, but it's also problematic 
to avoid changing it forever, or to even avoid coming up with a plan to 
change it at some point.

Kevin N.




More information about the wp-hackers mailing list