Opened 15 years ago
Closed 15 years ago
#10733 closed defect (bug) (duplicate)
Eval()'ed string not escaped properly
Reported by: | sirzooro | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | major | Version: | 2.8.4 |
Component: | Security | Keywords: | has-patch |
Focuses: | Cc: |
Description
There is a problem with permalinks, which is the root cause of last series of attacks on WordPresses. URL rewrite engine does not escape dollar signs in rules generated from permalink format, so it is possible to inject PHP code using specially crafted permalink format. There are two places where eval() is called: classes.php:219 and rewrite.php:302. These dollar signs should be escaped during rule generation, in generate_rewrite_rules() - attached patch does this.
You can also consider adding code to remove dollars from permalink format if someone will enter it on options screen (when options are saved), or even better to validate if all %something% tags consists of letters, numbers and underscores only (and maybe dashes too).
see: [11891]: Replace eval usage in request processing with new WP_MatchesMapRegex() class usage. Fixes #9602 for 2.8 branch props hakre.