[wp-trac] [WordPress Trac] #14946: Only enforce OEmbed whitelisting for dangerous types
WordPress Trac
wp-trac at lists.automattic.com
Thu Sep 23 09:03:29 UTC 2010
#14946: Only enforce OEmbed whitelisting for dangerous types
-------------------------+--------------------------------------------------
Reporter: markjaquith | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 3.1
Component: General | Version: 3.0.1
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
Comment(by filosofo):
I'm not sure that we can consider photo responses safe, in the sense that
we use the value of the url parameter as the source for an image element.
In the past there have been security exploits (such as the GDI exploit)
that used image files to trick clients into executing code.
Even the best-case scenario allows the remote server to set and read
cookies.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14946#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list