[wp-trac] Re: [WordPress Trac] #2858: Problem with wp_get_referer()
WordPress Trac
wp-trac at lists.automattic.com
Sat Jun 24 22:11:07 GMT 2006
#2858: Problem with wp_get_referer()
----------------------------+-----------------------------------------------
Reporter: tereshchenko | Owner: anonymous
Type: defect | Status: reopened
Priority: normal | Milestone: 2.0.4
Component: Administration | Version: 2.0.4
Severity: normal | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Comment (by masquerade):
Nice call, Matt. For safety, we should strip out "\r\n" from
$_REQUEST['_wp_http_referer'] just to be slightly paranoid. A link with
_wp_http_referer with \r\n in it could be used to do an HTTP response
splitting attack (although most likely anything that would refer is likely
to be nonce protected anyways, but I haven't looked too deeply into the
code to confirm that, and my bet is that the information would be used to
refer backwards if a user was to hit "No", so yes, if my guess is correct
(I'll dive into the code and check later), this does open us up. A simple
{{{return str_replace("\r\n", '', $ref)}}} on line 864 of functions.php
would solve the issue.
--
Ticket URL: <http://trac.wordpress.org/ticket/2858>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list