[wp-trac] [WordPress Trac] #10980: DoS in wp-trackbacks
WordPress Trac
wp-trac at lists.automattic.com
Wed Oct 21 14:52:54 UTC 2009
#10980: DoS in wp-trackbacks
--------------------------+-------------------------------------------------
Reporter: gomex | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: high | Milestone:
Component: Security | Version:
Severity: critical | Resolution:
Keywords: |
--------------------------+-------------------------------------------------
Changes (by aperez):
* cc: aperez (added)
Comment:
I made a quick review of the trackback specification
(http://www.sixapart.com/pronet/docs/trackback_spec) and a `charset`
parameter in the request body is *not* allowed. Charset *should* be
specified in the HTTP `Content-Type` header instead. I suppose this is a
leftover from old spec revisions, so probably charset handling could be
removed from `wp-trackback.php`. If I am right PHP will happily take into
account the HTTP header sent by the client, and act accordingly (please
correct me if I am wrong).
If for some reason (e.g. compatibility with old clients) this is not a
good idea, another option would be using
[http://docs.php.net/manual/en/function.iconv.php iconv()], which does
only accept a single destination encoding.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10980#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list