[wp-trac] [WordPress Trac] #44177: Enhance wp_debug_backtrace_summary() with the optional ability to include arguments
WordPress Trac
noreply at wordpress.org
Mon May 21 21:03:55 UTC 2018
#44177: Enhance wp_debug_backtrace_summary() with the optional ability to include
arguments
---------------------------+------------------------------
Reporter: DavidAnderson | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
---------------------------+------------------------------
Comment (by jdgrimes):
Replying to [comment:2 DavidAnderson]:
> Though changing default behaviour is usually undesirable, I wonder if in
the case of a debugging function whose output was, and remains, a textual
string, if there's not a good case for changing it in this case? The extra
info is harmless, and it's hard to envisage anybody parsing the output and
relying upon it in a way that would be breaking. Having to pass all 4
parameters to get the info is a bit annoying.
The extra info is not necessarily harmless. I can see how this could
inadvertently expose passwords or be used for XSS under the correct
circumstances.
Also, I don't know about parsing the output, but core itself searches the
output for a particular function name in one of the unit tests. I don't
know if any plugins do that in production code, but I wouldn't be
surprised. If they do, it would potentially be possible for the user to
alter behavior if they control the content of any of the parameters in the
backtrace stack, by including a function name in the argument value.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44177#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list