[theme-reviewers] $_SERVER data
Rankin, Matthew W. (Student)
mrankin at my.ccsu.edu
Sat Dec 24 15:36:32 UTC 2011
Directly the code isn't a security issue, but I've heard that there are bots out there that check the comments.php file for this code. If the bot finds this code it then begins to try other attacks. So, while not directly a security issue it does attract spam and other ( possibly more damaging ) attacks.
Also, the code you posted really isn't needed. So, with the code not being needed, and it possibly opening a site to other attacks, I'd say that it should not be included in themes.
________________________________
From: theme-reviewers-bounces at lists.wordpress.org [theme-reviewers-bounces at lists.wordpress.org] on behalf of Chip Bennett [chip at chipbennett.net]
Sent: Saturday, December 24, 2011 8:53 AM
To: [theme-reviewers]
Subject: [theme-reviewers] $_SERVER data
Lately, I've been seeing quite a few review comments indicating to remove this code, due to security issues:
if ( !empty( $_SERVERSCRIPT_FILENAME?<http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME> ) && 'comments.php' == basename( $_SERVERSCRIPT_FILENAME?<http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME> ) )
die ( 'Please do not load this page directly. Thanks!' );
I don't believe that $_SERVER data used in this manner (i.e. as a conditional query, with no data being saved to the DB or output) is a security risk. What are your thoughts?
Chip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20111224/6720df7e/attachment.htm>
More information about the theme-reviewers
mailing list