Perhaps, interesting to note the snippet is used in about a dozen themes:<br><br>-- Google ... site:<a href="http://themes.trac.wordpress.org/">http://themes.trac.wordpress.org/</a> "'comments.php' == basename($_SERVER['SCRIPT_FILENAME'])"<br>
<br><br clear="all">Cais.<br>
<br><br><div class="gmail_quote">On Sat, Sep 24, 2011 at 11:06 PM, Justin Tadlock <span dir="ltr"><<a href="mailto:justin@justintadlock.com">justin@justintadlock.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<u></u>
<div bgcolor="#ffffff" text="#000000">
Basically, the code is ultimately irrelevant. There's no security
issue though.<br>
<br>
It's good to point it out to theme devs that they don't need it.<div><div></div><div class="h5"><br>
<br>
On 9/23/2011 9:52 PM, Dion Hulse (dd32) wrote:
<blockquote type="cite">
<div>The use-case mentioned is completely different from what
Mark's post is about. the snippet mentioned prevents direct
access to the comments template, Marks post is about using
$_SERVER vars in theme output.. so you can ignore that posting<br>
</div>
<div><br>
</div>
<div>Speaking from a technical point of view (and not one of
knowing what the exact theme review guidelines are):</div>
<div>Having that in there is pointless, but having it in there is
not a problem either. It's just extra code being run, it's never
going to prevent a problem, nor create one (Well, unless the
theme is doing strange things in the comments template - like
writing files or something - things that that file should never
do). </div>
<div>So the guidelines are suggesting removal of a useless piece
of code. No need to require it's removal, it's something like
doing this: if ( false ) {run_some_code();} - it's code thats
never going to be of use.. Only thing removing it does it make
people more aware of what the PHP is actually doing..</div>
<div><br>
</div>
<div>As for using $pagenow/wp_die(), it's not needed, nor would it
be available in that case either (direct access of the file). If
the comments template is included, the theme is asking/WordPress
is asking to output the comments... bit of a no-brainer that it
wouldn't need to check the current templating action.</div>
<br>
<br>
<div class="gmail_quote">On 24 September 2011 11:37, Chip Bennett
<span dir="ltr"><<a href="mailto:chip@chipbennett.net" target="_blank">chip@chipbennett.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
I can't say that I agree that it's a security risk; it's a
conditional, not an input/output.
<div><br>
</div>
<div>However, I'm not sure it's really *needed*. What is the
inherent risk of loading comments.php directly?</div>
<div><br>
</div>
<div>If it *is* needed, what about using $pagenow instead (I
assume it's available in the front-end)? e.g.:</div>
<div><br>
</div>
<blockquote style="margin:0pt 0pt 0pt 40px;border:medium none;padding:0px">
<div>global $pagenow;</div>
<div>if ( 'comments.php' = $pagenow ) {}</div>
</blockquote>
<div><br>
</div>
<div>Also, might it be worthwhile to use wp_die() instead of
die()?</div>
<div><br>
</div>
<div><font color="#888888">Chip</font>
<div>
<div>
<br>
<br>
<div class="gmail_quote">On Fri, Sep 23, 2011 at 8:24
PM, Tyler Cunningham <span dir="ltr"><<a href="mailto:seizedpropaganda@gmail.com" target="_blank">seizedpropaganda@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div> You are correct in requiring this. It is
actually now a security risk as pointed out by
Mark Jaquith in a blog post. You can link to this
post if you like: </div>
<div><br>
</div>
<div><a href="http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/" target="_blank">http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/</a></div>
<div><br>
<span style="font-family:Arial"><span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Times;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><span style="font-family:Helvetica;font-size:13px"><span>Regards,</span><span><br>
<br>
</span></span></span></span>
<div style="font-size:medium;font-family:Arial"><span>Tyler Cunningham | Founder, COO
- <a href="http://CyberChimps.com/" style="color:rgb(0, 58, 138)" target="_blank">CyberChimps
LLC</a></span></div>
<div style="font-size:medium;font-family:Arial"><span><br>
</span></div>
<div style="font-size:medium;font-family:Arial"><span><a href="http://twitter.com/tylerbcunning" target="_blank">@tylerbcunning</a></span></div>
<div style="font-size:medium;font-family:Arial">
<span><a href="http://gplus.to/tylercunningham" target="_blank">http://gplus.to/tylercunningham</a></span></div>
<div style="font-size:medium;font-family:Arial"><span><a href="http://linkedin.com/in/tylerbcunningham" style="color:rgb(0, 58, 138)" target="_blank">http://linkedin.com/in/tylerbcunningham</a> </span></div>
<div style="font-size:medium;font-family:Arial"><span><a href="mailto:tyler@cyberchimps.com" style="color:rgb(0, 58, 138)" target="_blank">tyler@cyberchimps.com</a></span></div>
<br>
</div>
<div>
<div>
<p style="color:rgb(160, 160, 168)">On Friday,
September 23, 2011 at 6:23 PM, Vicky
Arulsingam wrote:</p>
</div>
</div>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px"> <span>
<div>
<div>
<div>
<div>I'm seeking clarification regarding
the use of:
<div><br>
</div>
<div>
<div>if ( 'comments.php' ==
basename($_SERVER['SCRIPT_FILENAME'])
)</div>
<div><span style="white-space:pre-wrap"> </span>die ( 'Please
do not load this page directly.
Thanks.' );</div>
<div><br>
</div>
<div>I've been requiring that themes
not include this. Am I correct in
doing so or is the removal merely a
recommendation?</div>
<div><br>
</div>
-----
<div>Vicky Arulsingam</div>
<br>
</div>
</div>
</div>
</div>
<div>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div>
</div>
</span> </blockquote>
<div> <br>
</div>
<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
<pre><fieldset></fieldset>
_______________________________________________
theme-reviewers mailing list
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a>
</pre>
</blockquote>
</div></div></div>
<br>_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></blockquote></div><br>