[wp-trac] Re: [WordPress Trac] #3727: WP->parse_request() won't replace $pathinfo when $req_uri contains any %## encoding character.

WordPress Trac wp-trac at lists.automattic.com
Thu Aug 9 10:58:36 GMT 2007

#3727: WP->parse_request() won't replace $pathinfo when $req_uri contains any %##
encoding character.
 Reporter:  Kirin_Lin          |        Owner:  ryan    
     Type:  defect             |       Status:  reopened
 Priority:  high               |    Milestone:  2.2.2   
Component:  General            |      Version:  2.2     
 Severity:  blocker            |   Resolution:          
 Keywords:  rewrite permalink  |  
Changes (by hakre):

  * priority:  normal => high


 Well then the question is at this point of the script if $req_uri mimics
 the client (as of for ''Wordpress Rewrite Rule parsing engine'') or if it
 mimics the server (as of CGI that should decode PATH_INFO).

 according to the sideeffect you are reporting (changeset:1841) I would say
 that the core wordpress development team should make clear and document
 which behaviour has to be implemented at this point of sourcecode: client
 or server. this affects the rewrite part as well. Until this has not been
 made clear any made and further changes will produce side-effects and
 might even create crititcal attack-vectors on wordpress.

 I would tend to say, that at this point req_uri should be encoded (not
 decoded) but I'm not a core wordpress developer so this is more a personal
 opinion. I raise the priority to high to gather some more awarness.

Ticket URL: <http://trac.wordpress.org/ticket/3727#comment:30>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list