[wp-trac] [WordPress Trac] #8910: Limit the RSS widget from using its own url

WordPress Trac wp-trac at lists.automattic.com
Wed May 5 17:22:26 UTC 2010


#8910: Limit the RSS widget from using its own url
-----------------------------+----------------------------------------------
  Reporter:  webmaestro      |        Type:  defect (bug)                                                                      
    Status:  reopened        |    Priority:  high                                                                              
 Milestone:  Future Release  |   Component:  Widgets                                                                           
   Version:  2.9.2           |    Severity:  major                                                                             
Resolution:                  |    Keywords:  needs-patch, rss, widget, url, HTTP/1.0, server, loop, feed, recent posts, archive
-----------------------------+----------------------------------------------
Changes (by robechar):

  * priority:  normal => high
  * version:  2.8 => 2.9.2


Comment:

 From the perspective of systems team at our university, this is a critical
 security issue.  Our team uses Wordpress MU for our university blogging
 system, and on four separate occasions we have had members set their RSS
 widget to their own RSS feed.  In our system, the loop results in a huge
 number of open processes, and effectively takes down one of our servers.

 The ability for any member to take out a server is a major security issue
 for us, and we have had a lot of pressure to move away from Wordpress for
 this reason.  We have written a patch which disallows users from selecting
 their own RSS feed, but we would like to see this issue addressed at the
 core level, so we don't have to patch every release, and to prevent this
 issue from being exploited on other systems.

 While theoretically including your own RSS feed is a valid thing to do, as
 dd32 points out, the architecture of Wordpress currently doesn't handle it
 properly.  In the short-term, until that issue can be fully addressed,
 adding this patch to core should prevent this issue from being exploited.

 Patch for /wp-includes/default-widgets.php
 {{{
 741,759d740
 <     /**
 <      * Override save settings to prevent inclusion of your own RSS feed
 <      *
 <      * Written in response to this issue
 <      * http://core.trac.wordpress.org/ticket/8910
 <      */
 <     function save_settings($settings) {
 <         global $current_blog;
 <         // Make sure this blog isn't including their own RSS feed
 <         foreach ($settings as $index=>$fields) {
 <             if (!empty($fields['url'])) {
 <                 if (substr_count($fields['url'], $current_blog->domain .
 $current_blog->path)) {
 <                     $settings[$index]['url'] = '';
 <                 }
 <             }
 <         }
 <           return parent::save_settings($settings);
 <       }
 <

 }}}

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/8910#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list