[wp-trac] Re: [WordPress Trac] #9164: #6871 Regression for Plugin Dir

WordPress Trac wp-trac at lists.automattic.com
Thu Feb 19 23:01:49 GMT 2009


#9164: #6871 Regression for Plugin Dir
--------------------------+-------------------------------------------------
 Reporter:  hakre         |       Owner:  ryan                    
     Type:  defect (bug)  |      Status:  new                     
 Priority:  high          |   Milestone:  2.7.2                   
Component:  Security      |     Version:  2.7                     
 Severity:  normal        |    Keywords:  2nd-opinion dev-feedback
--------------------------+-------------------------------------------------

Comment(by hakre):

 Fix does what it is intended for: Cleans out current payloads but I was
 able to circumvent the protection in a relativly easy way. Do not get me
 wrong, this should go in, it adds more consistency and cleans out current
 payloads.

 Anyway I must strongly speak for things like my suggestion/patch in #9175.
 It's like with Anit-Rootkit Tools: The Backend there directly accesses the
 Database and gets untainted values. That is in contrast to situations
 where a malicious script can already filter stuff (like with get_plugins
 or the plugin admin page). That ensured, an Admin at least can manually
 figure out that something went gaga. This helps in support as well.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/9164#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list