[wp-trac] Re: [WordPress Trac] #9750: setup-config.php is tainted
by request data
WordPress Trac
wp-trac at lists.automattic.com
Thu May 7 18:12:53 GMT 2009
#9750: setup-config.php is tainted by request data
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: Security | Version: 2.8
Severity: normal | Keywords: has-patch 2nd-opinion
--------------------------+-------------------------------------------------
Comment(by hakre):
I can only confirm that this does work with my php setup.
{{{
require_once('../samedir/otherfile.php');
}}}
that is influenced by it. if the test script is within ''samedir'' and
''otherfile.php'' exists, it will fail to include it when i add slashes
behind the .php (=> .php/) as written in the ticket description.
this is PHP Version 5.2.8 CGI/FastCGI with Virtual Directory Support
enabled. I'm not so shure if this is the cause, i could find this info
about it:
> Virtual Directory Support is ... related to the ... implementation of
some file/directory macros used by zend/php and some php modules.
> Virtual Directory Support off -> php relies on the c library functions
for resolving the current working directory
> Virtual Directory Support off -> php uses the tsrm implementation that
keeps track of the current working directory on a per thread level.
[http://forums.devnetwork.net/viewtopic.php?p=380761#p380761 source]
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9750#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list