[wp-trac] Re: [WordPress Trac] #6871: Plugins without headers don't
show in the plugins page, keeping some exploits hidden
WordPress Trac
wp-trac at lists.automattic.com
Wed Jul 16 15:25:28 GMT 2008
#6871: Plugins without headers don't show in the plugins page, keeping some
exploits hidden
------------------------------------------------------------+---------------
Reporter: guillep2k | Owner: guillep2k
Type: defect | Status: assigned
Priority: high | Milestone: 2.6.1
Component: Security | Version: 2.6
Severity: critical | Resolution:
Keywords: exploit security has-patch dev-feedback tested |
------------------------------------------------------------+---------------
Comment (by santosj):
Hmm. It seems that in order to solve this problem. We should be checking
that the path is within the WP_PLUGIN_DIR. A simple regex that strips all
"../" from the path and checks that the file exists within that directory
should be efficient and solve the issue.
All plugins should be relative to WP_PLUGIN_DIR, so this should work and
file_exists() should work fine. It won't validate the file has plugin
metadata, which can still be done in the plugins administration.
Do you agree?
--
Ticket URL: <http://trac.wordpress.org/ticket/6871#comment:22>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list