[wp-trac] [WordPress Trac] #8910: Limit the RSS widget from using its own url
WordPress Trac
wp-trac at lists.automattic.com
Wed May 5 17:22:26 UTC 2010
#8910: Limit the RSS widget from using its own url
-----------------------------+----------------------------------------------
Reporter: webmaestro | Type: defect (bug)
Status: reopened | Priority: high
Milestone: Future Release | Component: Widgets
Version: 2.9.2 | Severity: major
Resolution: | Keywords: needs-patch, rss, widget, url, HTTP/1.0, server, loop, feed, recent posts, archive
-----------------------------+----------------------------------------------
Changes (by robechar):
* priority: normal => high
* version: 2.8 => 2.9.2
Comment:
From the perspective of systems team at our university, this is a critical
security issue. Our team uses Wordpress MU for our university blogging
system, and on four separate occasions we have had members set their RSS
widget to their own RSS feed. In our system, the loop results in a huge
number of open processes, and effectively takes down one of our servers.
The ability for any member to take out a server is a major security issue
for us, and we have had a lot of pressure to move away from Wordpress for
this reason. We have written a patch which disallows users from selecting
their own RSS feed, but we would like to see this issue addressed at the
core level, so we don't have to patch every release, and to prevent this
issue from being exploited on other systems.
While theoretically including your own RSS feed is a valid thing to do, as
dd32 points out, the architecture of Wordpress currently doesn't handle it
properly. In the short-term, until that issue can be fully addressed,
adding this patch to core should prevent this issue from being exploited.
Patch for /wp-includes/default-widgets.php
{{{
741,759d740
< /**
< * Override save settings to prevent inclusion of your own RSS feed
< *
< * Written in response to this issue
< * http://core.trac.wordpress.org/ticket/8910
< */
< function save_settings($settings) {
< global $current_blog;
< // Make sure this blog isn't including their own RSS feed
< foreach ($settings as $index=>$fields) {
< if (!empty($fields['url'])) {
< if (substr_count($fields['url'], $current_blog->domain .
$current_blog->path)) {
< $settings[$index]['url'] = '';
< }
< }
< }
< return parent::save_settings($settings);
< }
<
}}}
--
Ticket URL: <http://core.trac.wordpress.org/ticket/8910#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list