[theme-reviewers] Functions.php Worm

Otto otto at ottodestruct.com
Wed Oct 13 15:37:24 UTC 2010

On Wed, Oct 13, 2010 at 10:23 AM, Andrew Nacin <wp at andrewnacin.com> wrote:
> On Wed, Oct 13, 2010 at 11:11 AM, Otto <otto at ottodestruct.com> wrote:
>> Tangentially related: Can anybody think of a legitimate reason for a
>> theme to ever use file_get_contents() in any way that makes sense or
>> has no better way to do things?
> No, for the simple reason that they should instead be using wp_remote_get.
> A decent number do though, with okay intentions (but they should still be
> using wp_remote_get).
> http://www.google.com/search?q=site:themes.svn.wordpress.org+file_get_contents
> Of course, at one point does someone begin to simply use core functions
> maliciously?

Yes, I thought of that, however I was thinking more along the lines of
using file_get_contents to get a file out of the local theme folder
and manipulate it.

Possible example: A text template of some kind. A local file gets read
and %stuff% gets replaced with data for use somewhere.
Counter-example to that: Use the File API stuff instead.

Of course, one can always use WP functions to do bad things too, so
checking for this sort of thing is a club solution at best. No
automated system is going to be able to detect "evil".


More information about the theme-reviewers mailing list