[wp-trac] [WordPress Trac] #12284: I/O Sanity Failures With Invalid HTML Entity References
WordPress Trac
wp-trac at lists.automattic.com
Fri Feb 19 02:54:45 UTC 2010
#12284: I/O Sanity Failures With Invalid HTML Entity References
-----------------------------+----------------------------------------------
Reporter: miqrogroove | Owner: ryan
Type: defect (bug) | Status: new
Priority: highest omg bbq | Milestone: 3.0
Component: Security | Version:
Severity: blocker | Keywords: has-patch
-----------------------------+----------------------------------------------
'''Background'''
While testing moderation and sanitize functions for blog comments in
#11833 and related tickets, I discovered this inline comment:
{{{
# Change back the allowed entities in our entity whitelist
}}}
There is actually no whitelist in the existing kses function. After
discussing this on the security mailing list with slow progress,
permission was given by IRC to make this public on Trac for speedy
attention and resolution.
'''Vulnerability'''
Anonymous users can break comment feed validation by injecting invalid
character entity references.
Authors can break front page and primary feed validation by injecting
invalid character entity references.
These are self-mitigating risks in and of themselves. However...
While trying to patch this bug, I also discovered that the html_esc
function in WordPress ''decodes'' phrases in the form of
{{{&phrase;}}} That bug may have further security implications, and
was resolved by calling the patched kses function from inside the html_esc
function.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12284>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list