[wp-trac] Re: [WordPress Trac] #2597: 304 Not Modified Headers not returned in RSS2 feed

WordPress Trac wp-trac at lists.automattic.com
Mon Apr 3 05:11:17 GMT 2006

#2597: 304 Not Modified Headers not returned in RSS2 feed
       Id:  2597            |      Status:  new                     
Component:  Administration  |    Modified:  Mon Apr  3 05:11:17 2006
 Severity:  major           |   Milestone:  2.1                     
 Priority:  normal          |     Version:  2.0.2                   
    Owner:  anonymous       |    Reporter:  gfmorris                
Comment (by markjaquith):

 All my testing indicates that {{{$_SERVER}}} '''is''', in fact, quoted by

 There are a limited number of HTTP headers you can inject quotes into just
 by using a browser, so I opened up a telnet session and injected quotes
 everywhere that I could (without invalidating the HOST, for example) and
 found that all these places were slashed when {{{magic_quotes_gpc}}} was

 I'm running PHP 4.3.10-16

 The PHP documentation on this is wrong, or at best, incomplete.

 Was the alleged vulnerability with $_SERVER ever tested?  I don't see a
 ticket associated with the commit.  It could have just been submitted to
 security at wordpress.org

Ticket URL: <http://trac.wordpress.org/ticket/2597>
WordPress Trac <http://wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list