[wp-trac] Re: [WordPress Trac] #9750: setup-config.php is tainted
by request data
WordPress Trac
wp-trac at lists.automattic.com
Thu May 7 17:56:12 GMT 2009
#9750: setup-config.php is tainted by request data
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: Security | Version: 2.8
Severity: normal | Keywords: has-patch 2nd-opinion
--------------------------+-------------------------------------------------
Comment(by hakre):
Replying to [comment:2 DD32]:
> slashes after the .php will not affect that at all.
>
> PHP is smart enough to differentiate between file and url.
>
> else /blog/2009/40/30/slug/ would screw over ../'s.. which it doesnt.
thought so as well until i head errors because of the requires. so this is
tested and confirmed here.
i already asked myself how the hell that can happen. i doubt that this
specific to php. maybe this is wordpress related? i will do some tests
with plain php on the same server configuration but w/o wordpress.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9750#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list