[wp-trac] Re: [WordPress Trac] #2597: 304 Not Modified Headers not
returned in RSS2 feed
WordPress Trac
wp-trac at lists.automattic.com
Mon Apr 3 05:11:17 GMT 2006
#2597: 304 Not Modified Headers not returned in RSS2 feed
----------------------------+-----------------------------------------------
Id: 2597 | Status: new
Component: Administration | Modified: Mon Apr 3 05:11:17 2006
Severity: major | Milestone: 2.1
Priority: normal | Version: 2.0.2
Owner: anonymous | Reporter: gfmorris
----------------------------+-----------------------------------------------
Comment (by markjaquith):
All my testing indicates that {{{$_SERVER}}} '''is''', in fact, quoted by
{{{magic_quotes_gpc}}}
There are a limited number of HTTP headers you can inject quotes into just
by using a browser, so I opened up a telnet session and injected quotes
everywhere that I could (without invalidating the HOST, for example) and
found that all these places were slashed when {{{magic_quotes_gpc}}} was
on.
I'm running PHP 4.3.10-16
The PHP documentation on this is wrong, or at best, incomplete.
Was the alleged vulnerability with $_SERVER ever tested? I don't see a
ticket associated with the commit. It could have just been submitted to
security at wordpress.org
--
Ticket URL: <http://trac.wordpress.org/ticket/2597>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list