[wp-trac] Re: [WordPress Trac] #7677: WordPress should implement
HttpOnly Cookies to slow down XSS
WordPress Trac
wp-trac at lists.automattic.com
Thu Sep 4 07:43:52 GMT 2008
#7677: WordPress should implement HttpOnly Cookies to slow down XSS
----------------------------------------------+-----------------------------
Reporter: _ck_ | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.7
Component: Security | Version:
Severity: major | Resolution:
Keywords: cookies needs-patch dev-reviewed |
----------------------------------------------+-----------------------------
Comment (by _ck_):
The 'ghetto' technique you are referring to (simply appending the flag
onto the domain) is what PHP 5.2 does internally anyway. The PHP setcookie
function does not modify or filter the domain string, it's passed directly
to the browser. In theory, you shouldn't even have to use the 5.2 "TRUE"
flag method and could use the domain append method for all versions
(though I have not tested that notion).
If it's left not dealing with PHP 4.x I'll just have release a plugin to
replace the pluggable function for PHP 4.x users. There are far too many
who cannot control what version of PHP their shared host uses. But the sad
part is that most of those users won't know to go looking for the plugin
so they'll miss out on the extra security and just blame WordPress instead
of their PHP/host when they get hacked.
I'm just saying WordPress could use as few complaints about security as
possible - if it's this easy to help, why not do all we can (ounce of
prevention and all that).
--
Ticket URL: <http://trac.wordpress.org/ticket/7677#comment:11>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list