[wp-trac] Re: [WordPress Trac] #9989: 1&1 and Wordpress 2.8
WordPress Trac
wp-trac at lists.automattic.com
Sun May 31 23:26:27 GMT 2009
#9989: 1&1 and Wordpress 2.8
--------------------------+-------------------------------------------------
Reporter: mattredman | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: General | Version: 2.8
Severity: normal | Keywords: reporter-feedback
--------------------------+-------------------------------------------------
Comment(by robertaccettura):
I'm not sure a theme or plugin should ever really be using
allow_url_include as it's inherently very insecure and thus *should* be
disabled on secure systems. Including from a remote source is extremely
risky. If the remote source is compromised it can include bad code
injecting anything from spam to other malware onto the host server (since
it would have all permissions that wordpress and php have).
Perhaps to help kill this harmful practice the following should be added
to wp-settings.php:
{{{
ini_set('allow_url_include', 'Off')
}}}
A theme can in theory just turn it back on, but hopefully this will at
least discourage the behavior for less experienced developers.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9989#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list