[wp-trac] [WordPress Trac] #32482: Fix TinyMCE js include
WordPress Trac
noreply at wordpress.org
Wed May 27 15:01:35 UTC 2015
#32482: Fix TinyMCE js include
-------------------------------------+------------------------------
Reporter: yoni y | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: TinyMCE | Version:
Severity: normal | Resolution:
Keywords: close reporter-feedback | Focuses:
-------------------------------------+------------------------------
Comment (by yoni y):
Replying to [comment:1 azaozz]:
> I'm not that sure what exactly is the purpose here. The TinyMCE JS is
concatenated and pre-compressed when building, then outputted from a small
PHP file. It checks some basic support and adds the needed headers. This
is by far the fastest way to load it. Nothing is being generated on the
fly, etc.
>
> > Generating a static file on the file seems like a waste of resources.
>
> Do you mean concatenating and pre-compressing all the JS parts of
TinyMCE at build time is a waste?
>
No I mean not doing so is a waste of time. this file serves precompressed
file if a gzip one is requested, but concats two files if gzip is not
enabled on the client.
You might gain a bit of performance from not gzip each time but then why
just this file ?
also I'm pretty sure nginx (and other web servers) static file serving
will have better performance then this little hack (and without the
security implications)
> > This script mimic a web server changing include headers and decided
weather to serve a compressed file or a plain text one. this seems like
something that should be left to the handling web server.
>
> Unfortunately most shared hosting servers do not add cache expiration,
content type, etc. headers.
I find it weird that shared hosting wont have proper caching and headers
since all there users will be much more happy, but the fact that some
users have crappy providers doesn't mean everyone else has to suffer.
> > Having a php files in the wp-include that runs directly by the web
server seems like it might have some security implications.
>
> Not sure what you mean by that. We concatenate and load all admin JS and
CSS this way.
All the files ? cause this was the only files that have been blocked under
my wp-includes path.
If so this is way worse than I thought.
Its considered best practice for PHP app to have a single point of entry.
that way managing authentication and authorization can be much more simple
and handled globally to the entire APP. Wordpress seems to be doing that
for 99% of the files and then you have some rouge files like this one (and
few more legacy ones I found in wp-includes) that now need to be managed
separately. so having multiple points of entry is harder to secure than
one.
Other then that it is again best practice when you have PHP files being
included it is best to prevent them from being accessed directly think
about this fake logic -
<?php if ($user->isAdmin()) { require('clearDb.php') } ?>
what happens if some one will just access the clearDb.php url ? if it is
available for public access the security check has been overridden.
This is of course crappy code and you should never write code like that,
But if you have files that you know should always be included from other
files why should you allow anyone to try and access them directly ? are
you sure every included file in wordpress wont mess things up if it runs
outside its normal context ?
Just a few weeks ago it was discovered that the “example.html” in an icon
font package exposes wordpress sites for XSS. did this file needed to be
included with wordpress ?
Having unnecessary access can only lead to security issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32482#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list