[wp-trac] [WordPress Trac] #21113: Pagination puts random query strings in generated HTML
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 29 14:57:01 UTC 2012
#21113: Pagination puts random query strings in generated HTML
--------------------------+-----------------------------
Reporter: kirrus | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.4
Severity: minor | Keywords:
--------------------------+-----------------------------
The newer/older entries pagination system takes any query string in a
inbound request, and includes it in the links generated for the
newer/older entries.
This causes problems when you put wordpress behind a cache, because all it
takes is some bot trying a joomla hack to mean all visitors suddenly have
a version of that page, including the bad query string, very visible.
For example:
http://kirrus.co.uk/page/6/?test=true
Note, in the 'Newer/Older' links at the bottom of the page, that
"test=true" will be retained.
These should only really keep query-strings that wordpress knows it'll
need, if you're including them? Else, you can basically poison someone's
cache with this.
An example of the really bad query string poisoning a cache:
/page/2/?option=com_gk3_tabs_manager&controller=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%0000
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21113>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list