[wp-trac] [WordPress Trac] #54160: sanitize_key() / _wp_customize_include() is not able to handle non-scalar values
WordPress Trac
noreply at wordpress.org
Mon Sep 27 02:23:43 UTC 2021
#54160: sanitize_key() / _wp_customize_include() is not able to handle non-scalar
values
--------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.9
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+---------------------
Comment (by dd32):
Replying to [comment:3 jrf]:
> Would be great to have you join this conversation to get to a point
where we can architect a more structural solution for all such issue in WP
(and there are many!).
Oh I know there are a lot of cases :) #17737 has caused me to effectively
[https://meta.trac.wordpress.org/browser/sites/trunk/wordpress.org/public_html
/wp-content/mu-plugins/pub/wporg-bad-request.php add a "firewall" plugin
to WordPress.org] to limit the amount of notices/warnings we get from
vulnerability scanners.
This ticket is just yet another cause of the same thing - core code that
doesn't sanitize that a value is remotely acceptable before using it, and
that's just in Core code, not even mentioning plugins.
I don't know what the ideal solution is here, but there's probably
something in #18322 or #22325 (eg `WP::GET( 'customize_changeset_uuid',
'string' )` (`WP::GET( $var, $expected_type = 'any' );`)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54160#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list