There was some ancient code in WP::parse_request() that looked in $GLOBALS when setting up query vars.
This is no longer the case: 
miqrogroove and Alex M. are discussing. Toggle Comments
Get a security analyst to check that out ASAP. $GLOBALS[$wpvar] is a variable variable syntax. If that query_vars filter wasn’t hooked by something extremely conservative, anyone would be able to hijack WordPress just by setting $wpvar in a query.
Note how the color is red. The code was removed.
Note how WordPress is used on millions of websites that do not have this changeset.
Note the usage of wp_unregister_GLOBALS() at the beginning of every page load and how most hosts have the register globals setting disabled.
unregister_globals has nothing to do with this. Variable variable syntax in PHP gives direct access to everything in memory.
I see it was used only on the right side of the assignment and not on the left, so that does limit the attack surface to the query_vars array.
← Twenty Ten 1.2 “RC”
As most of you know, today’s dev chat w… →
Subscribe to this blog and receive notifications of new posts by email.
Join 2,475 other subscribers