[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't show in the plugins page, keeping some exploits hidden

WordPress Trac wp-trac at lists.automattic.com
Wed Jul 16 15:25:28 GMT 2008


#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------------------------------------+---------------
 Reporter:  guillep2k                                       |        Owner:  guillep2k
     Type:  defect                                          |       Status:  assigned 
 Priority:  high                                            |    Milestone:  2.6.1    
Component:  Security                                        |      Version:  2.6      
 Severity:  critical                                        |   Resolution:           
 Keywords:  exploit security has-patch dev-feedback tested  |  
------------------------------------------------------------+---------------
Comment (by santosj):

 Hmm. It seems that in order to solve this problem. We should be checking
 that the path is within the WP_PLUGIN_DIR. A simple regex that strips all
 "../" from the path and checks that the file exists within that directory
 should be efficient and solve the issue.

 All plugins should be relative to WP_PLUGIN_DIR, so this should work and
 file_exists() should work fine. It won't validate the file has plugin
 metadata, which can still be done in the plugins administration.

 Do you agree?

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:22>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list