[theme-reviewers] Direct access prevention in comments.php - required or recommended?

Mike Little wordpress at zed1.com
Sun Sep 25 09:40:02 UTC 2011


Oops, accidently pressed send...

This line has also been in every version of WordPress since 0.7
Historically, the file wp-comments.php used to be in the root of the
WordPress directory (i.e. in the same place as  wp-config.php.

And was probably instigated as it was one of the few files that would
produce output if requested directly. The line protects against that.

Even when the theme files moved into their own directory in 1.5 the default
(Kubrick), copeid the same code. Intrerestingly, classic dropped it.

In reality we should be cautious of any files that can produce output if
requested directly, especially if they might produce errors. As this can be
a source of information leak, and thus indirectly a security risk.

Mike
-- 
Mike Little
http://zed1.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110925/e6683225/attachment.htm>


More information about the theme-reviewers mailing list