[wp-trac] [WordPress Trac] #21359: htmlspecialchars() in wp-db.php is a small vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Mon Jul 23 21:12:59 UTC 2012
#21359: htmlspecialchars() in wp-db.php is a small vulnerability
--------------------------+------------------------------
Reporter: planetzuda | Owner: planetzuda
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.4.1
Severity: minor | Resolution:
Keywords: needs-patch |
--------------------------+------------------------------
Comment (by nacin):
Hi there. When you created this ticket, you might have seen:
> Do not report potential security vulnerabilities here. Read the
Security FAQ and email us at security at wordpress.org.
Regardless, this isn't accurate. htmlspecialchars() is not only safe in
this instance, but this also isn't exploitable — this error is only going
to happen based on what is in your wp-config.php file for DB credentials
(meaning, someone has file/PHP access) or is able to set up your config
with wp-admin/setup-config.php (which means you have a blank install just
sitting around). We consider both to be a non-starter when it comes to
considering what is a "vulnerability".
There's no difference between htmlspecialchars() and htmlentities() (when
the same parameters are used) from a security standpoint.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21359#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list