[wp-trac] Re: [WordPress Trac] #9406: harden the security of the
active_plugins array
WordPress Trac
wp-trac at lists.automattic.com
Thu Apr 2 15:56:03 GMT 2009
#9406: harden the security of the active_plugins array
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.2
Component: Security | Version:
Severity: major | Keywords:
-------------------------------+--------------------------------------------
Comment(by hakre):
Denis, thanks for taking the time to share your thoughts. I see no
problems with limiting the fileextension to .php for plugins. this should
be checked directly before inclusion (at least).
I have created a patch that reflects those changes. Additionally, the
decision what a blacklisted plugin value is, is better documented and
structured.
Finally the temporary variable ''$current_plugins'' is unset (as this was
already done with the ''$plugins'' variable).
Please feel free to take a look to my other patchset, that I created for a
better plugin security as well. It enables the admin to display the
database values human readable that are used by get_option - especially
those which are serialized in the database: #9175
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9406#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list