[wp-trac] [WordPress Trac] #10360: $_REQUEST's slashes may differ from $_GET/$_POST
WordPress Trac
wp-trac at lists.automattic.com
Sat Jul 11 10:12:33 UTC 2009
#10360: $_REQUEST's slashes may differ from $_GET/$_POST
--------------------------+-------------------------------------------------
Reporter: dd32 | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8.2
Component: Security | Version: 2.8
Severity: normal | Keywords: dev-feedback
--------------------------+-------------------------------------------------
Comment(by dd32):
Sorry missed your first comment
> , $_REQUEST is to be expected forced GET + POST. Both are mostly
untainted that time so therefore I strongly speak to wontfix or invalid.
There is no need to expect $_REQUEST to be slashed.
Except like what i originally said: (now paraphrased)
WordPress will force $_GET/$_POST to be slashed REGARDLESS OF SERVER
SETUP, $_REQUEST doesnt gain the same treatment.
the comment in the code is just to force $_REQUEST to $_GET/$_POST (ie. To
exclude $_SERVER and $_COOKIE)
The end result on a Server where Magic quotes are disabled is as such:
{{{
POST Data = "O'Niel";
$_POST = "O\'Niel";
$_REQUEST = "O'Niel";
}}}
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10360#comment:24>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list