[wp-trac] [WordPress Trac] #10360: $_REQUEST's slashes may differ from $_GET/$_POST
WordPress Trac
wp-trac at lists.automattic.com
Fri Jul 31 22:13:26 UTC 2009
#10360: $_REQUEST's slashes may differ from $_GET/$_POST
--------------------------+-------------------------------------------------
Reporter: dd32 | Owner: markjaquith
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 2.8.3
Component: Security | Version: 2.8
Severity: normal | Keywords: has-patch commit
--------------------------+-------------------------------------------------
Changes (by markjaquith):
* owner: ryan => markjaquith
* status: new => accepted
Comment:
I regret that "always slashed" was chosen for {{{$_GET}}} and
{{{$_POST}}}, but that ship has sailed. If we want to change that, it's
going to be a long journey, because there is a very real possibility that
such a change will introduce security issues in plugins. But that is a
separate topic.
I agree with dd32 that this is about consistency. Honestly, '''it was news
to me''' that {{{$_REQUEST}}} is not slashed (not that I'm in the habit of
trusting user data!) I regard {{{$_REQUEST}}} as {{{$_GET}}} +
{{{$_POST}}}, and both {{{$_GET}}} and {{{$_POST}}} are always slashed—so
why wouldn't {{{$_REQUEST}}} always be slashed? There is the possibility
that changing this will break a few plugins for some setups, '''but those
plugins were already broken''' because on other server setups
{{{$_REQUEST}}} '''will''' be slashed.
Simply put, as it is now, {{{$_REQUEST}}} is unpredictable, and any use of
it that would be affected by "slashable" data '''is currently unstable'''.
dd32's patch fixes this, by making it consistent (with itself) and
consistend with {{{$_GET}}} and {{{$_POST}}}, as well as fixes it in a way
that won't introduce SQL injection vulnerabilities.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10360#comment:35>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list