[theme-reviewers] Direct access prevention in comments.php - required or recommended?

Chip Bennett chip at chipbennett.net
Mon Sep 26 21:21:01 UTC 2011


No worries; at least as far as I am concerned, these kinds of discussions
are absolutely appropriate for this mailing list.

*I would say that, at current, the Guidelines are silent on the matter.*

There are security best-practice arguments to be made to ensure that
template-part files cannot be loaded directly, and we should probably put
something in place with respect to those best practices.

On the other hand, the specific implementation you referenced, as written,
does not pose a security risk. There may be other/better ways to do it, or
that way may be the best way.

(How's that for equivocation? :) )

If anyone would like to suggest best practices in this area, this would be a
great place to do so!

Chip

On Mon, Sep 26, 2011 at 4:10 PM, Tyler Cunningham <
seizedpropaganda at gmail.com> wrote:

>  Sorry to resurrect this thread but is the consensus now that this line
> does not need to be removed? I apologize if I submitted faulty information
> before, I was simply going off what I witnessed another reviewer marking as
> required in their reviews (which is when I started doing it myself). I am
> getting the impression that this line does not need to be removed like I
> originally thought, am I correct in that assumption?
>
> Thanks.
>
> Regards,
>
> Tyler Cunningham  |  Founder, COO - CyberChimps LLC<http://CyberChimps.com/>
>
> @tylerbcunning <http://twitter.com/tylerbcunning>
> http://gplus.to/tylercunningham
> http://linkedin.com/in/tylerbcunningham
> tyler at cyberchimps.com
>
> On Sunday, September 25, 2011 at 2:40 AM, Mike Little wrote:
>
> Oops, accidently pressed send...
>
> This line has also been in every version of WordPress since 0.7
> Historically, the file wp-comments.php used to be in the root of the
> WordPress directory (i.e. in the same place as  wp-config.php.
>
> And was probably instigated as it was one of the few files that would
> produce output if requested directly. The line protects against that.
>
> Even when the theme files moved into their own directory in 1.5 the default
> (Kubrick), copeid the same code. Intrerestingly, classic dropped it.
>
> In reality we should be cautious of any files that can produce output if
> requested directly, especially if they might produce errors. As this can be
> a source of information leak, and thus indirectly a security risk.
>
> Mike
> --
> Mike Little
> http://zed1.com/
>
>
>  _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110926/0ffd0ac7/attachment.htm>


More information about the theme-reviewers mailing list