[wp-trac] [WordPress Trac] #10360: $_REQUEST's slashes may differ from $_GET/$_POST
WordPress Trac
wp-trac at lists.automattic.com
Sat Jul 11 09:40:24 UTC 2009
#10360: $_REQUEST's slashes may differ from $_GET/$_POST
--------------------------+-------------------------------------------------
Reporter: dd32 | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8.2
Component: Security | Version: 2.9
Severity: normal | Keywords: needs-patch dev-feedback
--------------------------+-------------------------------------------------
Comment(by hakre):
Using $_REQUEST should just considered bad practice. Whatever is merged in
there. Infact you can't properly determine without checking the php
configuration and with wordpress even the core code. For any developer I
would advise to not use it. Anyway that is just a sidenote.
Since parts of the wordpress code (still) depend on $_REQUEST it should
contain at least the same values like $_POST and $_GET (like Denis points
out). If $_POST and $_GET is slashed in another way then $_REQUEST is (as
this ticket suggests), there is need to have it the same way.
Merging should be placed after salshing $_POST and $_GET.
Additionally an object could be instatiated that abstracts and contains
the request data as submitted. This object can then be used to give access
to untainted values as well to give access to post, get, files, cookies,
(a configured) request and whatever is needed or usefull.
So is there any piece of documentation available wether or not $_REQUEST
should contained untainted or slashed data? Even though it does differ
from $_POST / $_GET it might be the intended behaviour. For the case it
should be the same I can provide a patch.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10360#comment:17>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list