This is the official blog for the core development team of the WordPress open source project. Follow our progress with weekly meeting agendas, project schedules, and the occasional code debate.
Get a security analyst to check that out ASAP. $GLOBALS[$wpvar] is a variable variable syntax. If that query_vars filter wasn’t hooked by something extremely conservative, anyone would be able to hijack WordPress just by setting $wpvar in a query.
miqrogroove 7:45 pm on October 13, 2010 Permalink
Get a security analyst to check that out ASAP. $GLOBALS[$wpvar] is a variable variable syntax. If that query_vars filter wasn’t hooked by something extremely conservative, anyone would be able to hijack WordPress just by setting $wpvar in a query.
Alex M. 11:54 pm on October 13, 2010 Permalink
Note how the color is red. The code was removed.
miqrogroove 4:43 am on October 14, 2010 Permalink
Note how WordPress is used on millions of websites that do not have this changeset.
Alex M. 4:48 am on October 14, 2010 Permalink
Note the usage of
wp_unregister_GLOBALS()at the beginning of every page load and how most hosts have the register globals setting disabled.miqrogroove 1:18 pm on October 14, 2010 Permalink
unregister_globals has nothing to do with this. Variable variable syntax in PHP gives direct access to everything in memory.
miqrogroove 7:51 pm on October 13, 2010 Permalink
I see it was used only on the right side of the assignment and not on the left, so that does limit the attack surface to the query_vars array.