<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body ocsi="0" fpstyle="1">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Directly the code isn't a security issue, but I've heard that there are bots out there that check the comments.php file for this code. If the bot finds this code it then begins
to try other attacks. So, while not directly a security issue it does attract spam and other ( possibly more damaging ) attacks.
<br>
<br>
Also, the code you posted really isn't needed. So, with the code not being needed, and it possibly opening a site to other attacks, I'd say that it should not be included in themes.<br>
<div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF545938"><font face="Tahoma" size="2" color="#000000"><b>From:</b> theme-reviewers-bounces@lists.wordpress.org [theme-reviewers-bounces@lists.wordpress.org] on behalf of Chip Bennett [chip@chipbennett.net]<br>
<b>Sent:</b> Saturday, December 24, 2011 8:53 AM<br>
<b>To:</b> [theme-reviewers]<br>
<b>Subject:</b> [theme-reviewers] $_SERVER data<br>
</font><br>
</div>
<div></div>
<div>Lately, I've been seeing quite a few review comments indicating to remove this code, due to security issues:
<div><br>
</div>
<div>
<blockquote style="margin: 0pt 0pt 0pt 40px; border: medium none; padding: 0px;">
<div>
<p style="font-family: Verdana,Arial,'Bitstream Vera Sans',Helvetica,sans-serif; font-size: 13px; background-color: rgb(255, 255, 255);">
if ( !empty( $_SERVER<a class="missing wiki" href="http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME" rel="nofollow" style="text-decoration: none; color: rgb(153, 153, 136); border-bottom: 1px dotted rgb(187, 187, 187);" target="_blank">SCRIPT_FILENAME?</a> )
&& 'comments.php' == basename( $_SERVER<a class="missing wiki" href="http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME" rel="nofollow" style="text-decoration: none; color: rgb(153, 153, 136); border-bottom: 1px dotted rgb(187, 187, 187);" target="_blank">SCRIPT_FILENAME?</a> )
)<br>
</p>
<blockquote style="font-family: Verdana,Arial,'Bitstream Vera Sans',Helvetica,sans-serif; font-size: 13px; background-color: rgb(255, 255, 255);">
<p>die ( 'Please do not load this page directly. Thanks!' );</p>
</blockquote>
</div>
</blockquote>
</div>
<div><br>
</div>
<div>I don't believe that $_SERVER data used in this manner (i.e. as a conditional query, with no data being saved to the DB or output) is a security risk. What are your thoughts?</div>
<div><br>
</div>
<div>Chip</div>
</div>
</div>
</div>
</body>
</html>