[wp-trac] Re: [WordPress Trac] #9185: cordon off all non-entry points from the public

WordPress Trac wp-trac at lists.automattic.com
Fri Feb 20 04:49:50 GMT 2009


#9185: cordon off all non-entry points from the public
-----------------------------+----------------------------------------------
 Reporter:  jidanni          |       Owner:  ryan                    
     Type:  feature request  |      Status:  new                     
 Priority:  normal           |   Milestone:  2.9                     
Component:  Security         |     Version:  2.7                     
 Severity:  normal           |    Keywords:  2nd-opinion dev-feedback
-----------------------------+----------------------------------------------
Changes (by DD32):

  * keywords:  => 2nd-opinion dev-feedback
  * type:  defect (bug) => feature request
  * milestone:  2.8 => 2.9


Comment:

 Moving to 2.9 due to no patch, and is a feature request.

 The worst that will ever happen is a fatal PHP error is shown, allowing a
 end-user to find out the path in which WordPress is installed, Many have
 argued in the past that this is a security issue, and allows people to
 easier exploit a WordPress installation, But the fact is, They'll do it
 one way or another anyway.

 Due to the way WordPress is structured, It will always be impossible for
 code execution, or unintended permanent changes to be made to WordPress,
 The database, Files, or the server by directly accessing any non-entry
 point, If it was wanted, It could be set to redirect users back to the
 front page in the even that they do come across the page, But its not
 exactly a needed requirement (or urgent item).

 Something such as this could be added to every page:
 {{{
 if ( ! defined('ABSPATH') ) {
 header('Location: ../'); //Despite the fact you should only use absolute
 url's here..
 die('Bugger off');
 }
 }}}

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/9185#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list