[theme-reviewers] Direct access prevention in comments.php - required or recommended?
Chip Bennett
chip at chipbennett.net
Sat Sep 24 01:37:37 UTC 2011
I can't say that I agree that it's a security risk; it's a conditional, not
an input/output.
However, I'm not sure it's really *needed*. What is the inherent risk of
loading comments.php directly?
If it *is* needed, what about using $pagenow instead (I assume it's
available in the front-end)? e.g.:
global $pagenow;
if ( 'comments.php' = $pagenow ) {}
Also, might it be worthwhile to use wp_die() instead of die()?
Chip
On Fri, Sep 23, 2011 at 8:24 PM, Tyler Cunningham <
seizedpropaganda at gmail.com> wrote:
> You are correct in requiring this. It is actually now a security risk as
> pointed out by Mark Jaquith in a blog post. You can link to this post if you
> like:
>
>
> http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/
>
> Regards,
>
> Tyler Cunningham | Founder, COO - CyberChimps LLC<http://CyberChimps.com/>
>
> @tylerbcunning <http://twitter.com/tylerbcunning>
> http://gplus.to/tylercunningham
> http://linkedin.com/in/tylerbcunningham
> tyler at cyberchimps.com
>
> On Friday, September 23, 2011 at 6:23 PM, Vicky Arulsingam wrote:
>
> I'm seeking clarification regarding the use of:
>
> if ( 'comments.php' == basename($_SERVER['SCRIPT_FILENAME']) )
> die ( 'Please do not load this page directly. Thanks.' );
>
> I've been requiring that themes not include this. Am I correct in doing so
> or is the removal merely a recommendation?
>
> -----
> Vicky Arulsingam
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110923/6ec55453/attachment.htm>
More information about the theme-reviewers
mailing list