Subscribe to this blog and receive notifications of new posts by email.
Join 2,239 other subscribers
IRC Hours: Mon @ 1600 UTC & Thurs @ 1500 UTC
IRC Hours: Tues and Fri @ 2100 UTC
Backup: Scott Taylor
IRC Hours: Mon @ 1900 UTC & Thur @ 1600 UTC
Lead: Dave Martin
IRC Hours: Mon & Thur @ 2000 UTC
Lead: Sergey Biryukov
Lead: Lance Willett
Backup: Konstantin Obenland
IRC Hours: Tues & Thur @ 1700 UTC
There was some ancient code in WP::parse_request() that looked in $GLOBALS when setting up query vars.
This is no longer the case: 
miqrogroove and Alex M. are discussing. Toggle Comments
Get a security analyst to check that out ASAP. $GLOBALS[$wpvar] is a variable variable syntax. If that query_vars filter wasn’t hooked by something extremely conservative, anyone would be able to hijack WordPress just by setting $wpvar in a query.
Note how the color is red. The code was removed.
Note how WordPress is used on millions of websites that do not have this changeset.
Note the usage of wp_unregister_GLOBALS() at the beginning of every page load and how most hosts have the register globals setting disabled.
unregister_globals has nothing to do with this. Variable variable syntax in PHP gives direct access to everything in memory.
I see it was used only on the right side of the assignment and not on the left, so that does limit the attack surface to the query_vars array.
← Twenty Ten 1.2 “RC”
As most of you know, today’s dev chat w… →
License / GPLv2
Hosted WordPress.com |
WordPress.TV Videos |
WordCamp Events |
BuddyPress Social Layer |
bbPress Forums |
WP Jobs |