[wp-trac] Re: [WordPress Trac] #8317: New installs: admin has user_level 0

WordPress Trac wp-trac at lists.automattic.com
Wed Nov 26 00:29:55 GMT 2008

#8317: New installs: admin has user_level 0
 Reporter:  Mr Pete  |        Owner:  jacobsantos
     Type:  defect   |       Status:  new        
 Priority:  normal   |    Milestone:  2.8        
Component:  Upgrade  |      Version:  2.5        
 Severity:  major    |   Resolution:             
 Keywords:           |  
Comment (by Mr Pete):

 I'm browsing down quickly. Obviously the first one is affected.

 Next one I see that will act differently in PHP5 and PHP4:

 taxonomy.php line 114, function _cat_row()
         $category = get_category( $category, OBJECT, 'display' );
         $category->count = number_format_i18n( $category->count );

 And the same at line 274, function link_cat_row()

 In PHP4, the original category object is not changed because $category is
 a copy. In PHP5, the original would be changed if number_format_i18n() is
 anything but a nop.

 I don't know if this is a problem or not. If the original should not be
 modified, the code is wrong for PHP5.

 Every function that accepts OBJECT as a return type acts differently in
 PHP5 and PHP4. I don't immediately see other issues in the code base than
 what I've outlined here, but then I only spent a few minutes.

 Again, this most likely impacts non-core code (all those "OBJECT" returns
 are there for a purpose, even though not used in the core code base.)

 Overall, I suspect the actual core code bugs related to this are rare.

 I suspect this is a potential security hole. A badly coded plugin has
 direct access to original objects in PHP5, because the objects (and
 arrays!) are returned by reference in all of the above functions.

 Should this be documented? I dunno... I'm just a noob.

Ticket URL: <http://trac.wordpress.org/ticket/8317#comment:27>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list