[wp-trac] [WordPress Trac] #43308: Alter behavior load-scripts.php and load-styles.php to reduce potentially adverse scenarios
WordPress Trac
noreply at wordpress.org
Wed Feb 14 15:48:27 UTC 2018
#43308: Alter behavior load-scripts.php and load-styles.php to reduce potentially
adverse scenarios
---------------------------+--------------------
Reporter: youngcp | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 5.0
Component: Script Loader | Version: 4.9.4
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
---------------------------+--------------------
Comment (by youngcp):
It's pretty clear the patch as is in this issue is not acceptable for the
current goals of WP. I'm in favor of closing this ticket and creating a
new one with a new patch.
Preliminary pseudo-PHP for brainstorming reference;
{{{#!php
<?php
/**
* Disable error reporting
*
* Set this to error_reporting( -1 ) for debugging.
*/
error_reporting( 0 );
define( 'SHORTINIT', true );
require( dirname(dirname( __FILE__ )) . '/wp-load.php' );
require( ABSPATH . WPINC . '/version.php' );
$load = $_GET['load'];
if ( is_array( $load ) ) {
$load = implode( '', $load );
}
$load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load );
// Sorting reduces cache surface
$targets = sort( array_unique( explode( ',', $load ) ) );
if ( count($targets) ) {
// Allow client to get a cached empty response
wp_redirect( admin_url( 'load-scripts-keyed.php?load[]=' ), 301 );
exit;
}
$load = implode(',', $targets );
// TODO: actions, filters, cache surface reduction
// Is NONCE_KEY acceptable to use as a shared secret here?
$integrity = 'sha256-' . hash( 'sha256', $load . NONCE_KEY );
wp_redirect(
admin_url(
'load-scripts-keyed.php?key=' . $integrity .
'&load[]=' . $load .
'&ver=' . $_GET['ver'] .
'&c=' . $_GET['c']
),
301
);
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43308#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list