[wp-trac] [WordPress Trac] #10980: DoS in wp-trackbacks

WordPress Trac wp-trac at lists.automattic.com
Wed Oct 21 14:52:54 UTC 2009


#10980: DoS in wp-trackbacks
--------------------------+-------------------------------------------------
 Reporter:  gomex         |        Owner:  ryan    
     Type:  defect (bug)  |       Status:  reopened
 Priority:  high          |    Milestone:          
Component:  Security      |      Version:          
 Severity:  critical      |   Resolution:          
 Keywords:                |  
--------------------------+-------------------------------------------------
Changes (by aperez):

 * cc: aperez (added)


Comment:

 I made a quick review of the trackback specification
 (http://www.sixapart.com/pronet/docs/trackback_spec) and a `charset`
 parameter in the request body is *not* allowed. Charset *should* be
 specified in the HTTP `Content-Type` header instead. I suppose this is a
 leftover from old spec revisions, so probably charset handling could be
 removed from `wp-trackback.php`. If I am right PHP will happily take into
 account the HTTP header sent by the client, and act accordingly (please
 correct me if I am wrong).

 If for some reason (e.g. compatibility with old clients) this is not a
 good idea, another option would be using
 [http://docs.php.net/manual/en/function.iconv.php iconv()], which does
 only accept a single destination encoding.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10980#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list