<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Basically, the code is ultimately irrelevant. There's no security
issue though.<br>
<br>
It's good to point it out to theme devs that they don't need it.<br>
<br>
On 9/23/2011 9:52 PM, Dion Hulse (dd32) wrote:
<blockquote
cite="mid:CAL4EHfkEvi5o=LoPtraR-tOoR3iOav6UM+c1qH=-uKmcHceWOA@mail.gmail.com"
type="cite">
<div>The use-case mentioned is completely different from what
Mark's post is about. the snippet mentioned prevents direct
access to the comments template, Marks post is about using
$_SERVER vars in theme output.. so you can ignore that posting<br>
</div>
<div><br>
</div>
<div>Speaking from a technical point of view (and not one of
knowing what the exact theme review guidelines are):</div>
<div>Having that in there is pointless, but having it in there is
not a problem either. It's just extra code being run, it's never
going to prevent a problem, nor create one (Well, unless the
theme is doing strange things in the comments template - like
writing files or something - things that that file should never
do). </div>
<div>So the guidelines are suggesting removal of a useless piece
of code. No need to require it's removal, it's something like
doing this: if ( false ) {run_some_code();} - it's code thats
never going to be of use.. Only thing removing it does it make
people more aware of what the PHP is actually doing..</div>
<div><br>
</div>
<div>As for using $pagenow/wp_die(), it's not needed, nor would it
be available in that case either (direct access of the file). If
the comments template is included, the theme is asking/WordPress
is asking to output the comments... bit of a no-brainer that it
wouldn't need to check the current templating action.</div>
<br>
<br>
<div class="gmail_quote">On 24 September 2011 11:37, Chip Bennett
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:chip@chipbennett.net">chip@chipbennett.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
I can't say that I agree that it's a security risk; it's a
conditional, not an input/output.
<div><br>
</div>
<div>However, I'm not sure it's really *needed*. What is the
inherent risk of loading comments.php directly?</div>
<div><br>
</div>
<div>If it *is* needed, what about using $pagenow instead (I
assume it's available in the front-end)? e.g.:</div>
<div><br>
</div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium
none; padding: 0px;">
<div>global $pagenow;</div>
<div>if ( 'comments.php' = $pagenow ) {}</div>
</blockquote>
<div><br>
</div>
<div>Also, might it be worthwhile to use wp_die() instead of
die()?</div>
<div><br>
</div>
<div><font color="#888888">Chip</font>
<div>
<div class="h5">
<br>
<br>
<div class="gmail_quote">On Fri, Sep 23, 2011 at 8:24
PM, Tyler Cunningham <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:seizedpropaganda@gmail.com"
target="_blank">seizedpropaganda@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<div> You are correct in requiring this. It is
actually now a security risk as pointed out by
Mark Jaquith in a blog post. You can link to this
post if you like: </div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/"
target="_blank">http://markjaquith.wordpress.com/2009/09/21/php-server-vars-not-safe-in-forms-or-links/</a></div>
<div><br>
<span style="font-family: Arial;"><span
style="border-collapse: separate; color:
rgb(0, 0, 0); font-family: Times; font-style:
normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height:
normal; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
font-size: medium;"><span style="font-family:
Helvetica; font-size: 13px;"><span>Regards,</span><span><br>
<br>
</span></span></span></span>
<div style="font-size: medium; font-family:
Arial;"><span>Tyler Cunningham | Founder, COO
- <a moz-do-not-send="true"
href="http://CyberChimps.com/" style="color:
rgb(0, 58, 138);" target="_blank">CyberChimps
LLC</a></span></div>
<div style="font-size: medium; font-family:
Arial;"><span><br>
</span></div>
<div style="font-size: medium; font-family:
Arial;"><span><a moz-do-not-send="true"
href="http://twitter.com/tylerbcunning"
target="_blank">@tylerbcunning</a></span></div>
<div style="font-size: medium; font-family:
Arial;">
<span><a moz-do-not-send="true"
href="http://gplus.to/tylercunningham"
target="_blank">http://gplus.to/tylercunningham</a></span></div>
<div style="font-size: medium; font-family:
Arial;"><span><a moz-do-not-send="true"
href="http://linkedin.com/in/tylerbcunningham"
style="color: rgb(0, 58, 138);"
target="_blank">http://linkedin.com/in/tylerbcunningham</a> </span></div>
<div style="font-size: medium; font-family:
Arial;"><span><a moz-do-not-send="true"
href="mailto:tyler@cyberchimps.com"
style="color: rgb(0, 58, 138);"
target="_blank">tyler@cyberchimps.com</a></span></div>
<br>
</div>
<div>
<div>
<p style="color: rgb(160, 160, 168);">On Friday,
September 23, 2011 at 6:23 PM, Vicky
Arulsingam wrote:</p>
</div>
</div>
<blockquote type="cite" style="border-left-style:
solid; border-width: 1px; margin-left: 0px;
padding-left: 10px;"> <span>
<div>
<div>
<div>
<div>I'm seeking clarification regarding
the use of:
<div><br>
</div>
<div>
<div>if ( 'comments.php' ==
basename($_SERVER['SCRIPT_FILENAME'])
)</div>
<div><span style="white-space:
pre-wrap;"> </span>die ( 'Please
do not load this page directly.
Thanks.' );</div>
<div><br>
</div>
<div>I've been requiring that themes
not include this. Am I correct in
doing so or is the removal merely a
recommendation?</div>
<div><br>
</div>
-----
<div>Vicky Arulsingam</div>
<br>
</div>
</div>
</div>
</div>
<div>_______________________________________________<br>
theme-reviewers mailing list<br>
<a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org"
target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
</div>
</div>
</span> </blockquote>
<div> <br>
</div>
<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org"
target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
theme-reviewers mailing list<br>
<a moz-do-not-send="true"
href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a><br>
<a moz-do-not-send="true"
href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers"
target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
theme-reviewers mailing list
<a class="moz-txt-link-abbreviated" href="mailto:theme-reviewers@lists.wordpress.org">theme-reviewers@lists.wordpress.org</a>
<a class="moz-txt-link-freetext" href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a>
</pre>
</blockquote>
</body>
</html>