[wp-trac] Re: [WordPress Trac] #3727: WP->parse_request() won't
replace $pathinfo when $req_uri contains any %## encoding character.
WordPress Trac
wp-trac at lists.automattic.com
Thu Aug 9 10:58:36 GMT 2007
#3727: WP->parse_request() won't replace $pathinfo when $req_uri contains any %##
encoding character.
-------------------------------+--------------------------------------------
Reporter: Kirin_Lin | Owner: ryan
Type: defect | Status: reopened
Priority: high | Milestone: 2.2.2
Component: General | Version: 2.2
Severity: blocker | Resolution:
Keywords: rewrite permalink |
-------------------------------+--------------------------------------------
Changes (by hakre):
* priority: normal => high
Comment:
Well then the question is at this point of the script if $req_uri mimics
the client (as of for ''Wordpress Rewrite Rule parsing engine'') or if it
mimics the server (as of CGI that should decode PATH_INFO).
according to the sideeffect you are reporting (changeset:1841) I would say
that the core wordpress development team should make clear and document
which behaviour has to be implemented at this point of sourcecode: client
or server. this affects the rewrite part as well. Until this has not been
made clear any made and further changes will produce side-effects and
might even create crititcal attack-vectors on wordpress.
I would tend to say, that at this point req_uri should be encoded (not
decoded) but I'm not a core wordpress developer so this is more a personal
opinion. I raise the priority to high to gather some more awarness.
--
Ticket URL: <http://trac.wordpress.org/ticket/3727#comment:30>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list